CVE-2022-41040 - Microsoft Exchange Server Server-Side Request Forgery Vulnerability

Microsoft | Exchange Server

• Date Added:
• 2022-09-30

• Due Date:
• 2022-10-21

Vulnerability Name

Microsoft Exchange Server Server-Side Request Forgery Vulnerability

Description

Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.

Known To Be Used in Ransomware Campaigns?

Known

Action

Apply updates per vendor instructions.

Additional Notes

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/; https://nvd.nist.gov/vuln/detail/CVE-2022-41040

Latest Security News

Attackers Target Education Sector, Hijack Microsoft Accounts

Swap EOL Zyxel routers, upgrade Netgear ones!

Cybercriminals Use Go Resty and Node Fetch in 13 Million Password Spraying Attempts

Silent Lynx Using PowerShell, Golang, and C++ Loaders in Multi-Stage Cyberattacks

New Veeam Flaw Allows Arbitrary Code Execution via Man-in-the-Middle Attack

Navigating the Future: Key IT Vulnerability Management Trends 

AsyncRAT Campaign Uses Python Payloads and TryCloudflare Tunnels for Stealth Attacks

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Urges Fixes by Feb 25

Common Alerts

LowServer Leaks Version Information via "Server" HTTP Response Header Field

LowStrict-Transport-Security Max-Age Malformed (Non-compliant with Spec)

InformationalUsername Hash Found

LowPermissions Policy Header Not Set

HighSession Fixation

MediumPotential IP Addresses Found in the Viewstate

InformationalStrict-Transport-Security Header on Plain HTTP Response

InformationalCross Site Scripting (Persistent) - Prime

LowX-Backend-Server Header Information Leak

MediumInsecure JSF ViewState

Top CVE List

CVE-2024-49138 Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability

CVE-2025-24085 Apple Multiple Products Use-After-Free Vulnerability

CVE-2024-44308 Apple Multiple Products Code Execution Vulnerability

CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability

CVE-2015-6175 Microsoft Windows Kernel Privilege Escalation Vulnerability

CVE-2024-28986 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

CVE-2024-38217 Microsoft Windows Mark of the Web (MOTW) Protection Mechanism Failure Vulnerability

CVE-2024-55591 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability

CVE-2025-21335 Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability

CVE-2025-23006 SonicWall SMA1000 Appliances Deserialization Vulnerability

Common CWEs

CWE-837 Improper Enforcement of a Single, Unique Action

HighCWE-642 External Control of Critical State Data

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-527 Exposure of Version-Control Repository to an Unauthorized Control Sphere

HighCWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-1099 Inconsistent Naming Conventions for Identifiers

CWE-130 Improper Handling of Length Parameter Inconsistency

CWE-1125 Excessive Attack Surface

MediumCWE-128 Wrap-around Error

CWE-914 Improper Control of Dynamically-Identified Variables