• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

Microsoft Exchange ProxyNotShell Vulnerabilities

Released: Sep 29, 2022

Download PDF »

MSExchange Autodiscover RCE

Critical Severity

Microsoft Vendor

Vulnerability Type

Zero-Day on Exchange Server Autodiscover actively being exploited in the wild

Critical zero-day vulnerabilities that can allow the attacker to do a Remote Code Execution (RCE) on Microsoft Exchange Servers. FortiGuard has added multiple protections throughout the Security Fabric to safeguard its customers from attacks exploiting these zero-day vulnerabilities. Learn More »

Common Vulnerabilities and Exposures

CVE-2022-41040
CVE-2022-41082
CVE-2022-41080

Background

A security researcher from a Vietnamese cybersecurity outfit GTSC spotted vulnerabilities on Microsoft Exchange Server while responding to an incident. The vulnerabilities have been reported three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802.

Threat Radar Overall Score:
CVSS Rating 8.0
FortiRecon Score 93/100
Known Exploited Yes
Exploit Prediction Score 96.62%
FortiGuard Telemetry 24602

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


September 29, 2022: Security News picked up the blog from GTSC and announced the active exploitation of the Microsoft Exchange Server.


September 29, 2022: Multiple reports of exploitation in the wild leveraging the Microsoft Exchange Autodiscover 0-day vulnerabilities.
September 29, 2022: Microsoft Security Response Center added customer guidance on their blog: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • Lure

  • Decoy VM

  • Vulnerability

  • IPS

  • Web App Security

  • Web & DNS Filter

  • Post-execution

  • Botnet C&C

DETECT

  • Threat Hunting

  • IOC

  • Outbreak Detection

  • Content Update

RESPOND

  • Automated Response

  • Assisted Response Services

RECOVER

  • InfoSec Services

IDENTIFY

  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
192.53.123.202 ip Active
185.130.224.57 ip Active
192.241.216.14 ip Active
217.79.243.148 ip Active
192.241.217.39 ip Active
192.241.220.87 ip Active
140.82.52.35 ip Active
143.110.251.168 ip Active
97.107.133.106 ip Active
192.248.176.138 ip Active
146.70.53.169 ip Active
95.179.162.125 ip Active
104.238.187.145 ip Active
157.245.49.233 ip Active
38.135.122.130 ip Active
074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f... file Active
103.9.76.208 ip Active
103.9.76.211 ip Active
112.118.48.186 ip Active
122.155.174.188 ip Active
125.212.220.48 ip Active
125.212.241.134 ip Active
137.184.67.33 ip Active
194.150.167.88 ip Active
206.188.196.77 ip Active
206.188.196.77:8080 ip Active
212.119.34.11 ip Active
29b75f0db3006440651c6342dc3c0672210cfb339141c75... file Active
45c8233236a69a081ee390d4faa253177180b2bd45d8ed0... file Active
47.242.39.92 ip Active
5.180.61.17 ip Active
61.244.94.85 ip Active
65a002fe655dc1751add167cf00adf284c080ab2e97cd38... file Active
86.48.12.64 ip Active
86.48.6.69 ip Active
94.140.8.113 ip Active
94.140.8.48 ip Active
9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87... file Active
b5038f1912e7253c7747d2f0fa5310ee8319288f8183922... file Active
be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf7... file Active
c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f1118... file Active
c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f... file Active
http://206.188.196.77:8080/themes.aspx url Active
76a2f2644cb372f540e179ca2baa110b71de3370bb560ac... file Active
f9322ead69300501356b13d751165daa file Active
109.167.197.53 ip Active
138.199.5.102 ip Active
138.199.5.103 ip Active
185.65.134.252 ip Active
49.34.171.65 ip Active
68.233.238.111 ip Active
193.201.9.101 ip Active
179.60.149.28 ip Active
152.89.198.108 ip Active
199.47.92.216 ip Active
91.245.255.98 ip Active
213.226.123.154 ip Active
1.202.192.27 ip Active
103.14.26.94 ip Active
107.148.149.116 ip Active
114.93.236.133 ip Active
119.80.38.185 ip Active
122.161.69.69 ip Active
123.122.82.227 ip Active
13.77.160.181 ip Active
143.244.44.182 ip Active
143.244.44.183 ip Active
146.0.77.38 ip Active
146.0.77.39 ip Active
161.97.85.138 ip Active
180.138.61.183 ip Active
185.117.73.144 ip Active
185.183.96.203 ip Active
185.230.126.149 ip Active
188.214.122.88 ip Active
192.142.226.23 ip Active
193.29.15.70 ip Active
193.37.32.139 ip Active
20.39.42.86 ip Active
210.3.157.155 ip Active
210.3.157.196 ip Active
23.225.195.44 ip Active
43.156.19.234 ip Active
43.156.231.244 ip Active
45.58.2.26 ip Active
45.58.2.58 ip Active
5.252.178.130 ip Active
5.252.178.131 ip Active
5.252.179.6 ip Active
5.39.220.94 ip Active
81.102.207.4 ip Active
87.251.67.166 ip Active
379f87daa6a23400adf19c1cdd6b0dc9 file Active
47a0814408210e6fca502b3799b3952b file Active
a2fae32f116870e5a94b5fab50a1cb71 file Active
auzreservices.com domain Active
f77e55fd56fdad21766caa9c896734e9 file Active
sync.service.auzreservices.com domain Active
193.149.185.52 ip Active
193.149.185.52:443 ip Active