The blog about your IT security

ProxyNotShell On Premise Microsoft Exchange Zero-Day

Affected products

On-Premises Microsoft Exchange Server 2013/16/19

Criticality of the vulnerability(ies)

CVSS Score: 8.8 as well as 6.3


Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE)


The zero-day vulnerability was first reported by the Vietnamese cybersecurity group GTSC.  It seems like they are only present in on-premises versions, i.e. only in locally hosted solutions of Microsoft Exchange servers. Exchange Online users would therefore not have to take any measures.

According to Microsoft, this is a server-side request forgery vulnerability, as well as a remote code execution vulnerability. In order for attackers to exploit the RCE vulnerability (CVE-2022-41082), they must first successfully exploit the SSRF vulnerability (CVE-2022-41040), which in turn can only be exploited by authenticated users.

In the case of an SSRF vulnerability, attackers abuse the functionality of the server and can both access and manipulate the information that resides on the server.

An RCE vulnerability allows attackers to remotely execute code and scripts on the victim’s server, potentially manipulating any IT infrastructure.



Mitigation or measure for avoidance respectively possible recommendations for action


With the November patch, Microsoft also delivered a solution for the two vulnerabilities. Since 8.11.22, the official patch is now available for installation.

We recommend you to install this update as soon as possible!
The previous workaround is rendered obsolete by the Microsoft patch update.

References and links

[1] Security Advisory:
[2] Security Advisory:
[3] Security Advisory:
[4] Security Advisory:
[5] Security Advisory:
[6] Security Advisory:

Follow us on

Subscribe to our newsletter on the topic of cyber security

With our Cyberletter you are always up to date - about vulnerability reports, current IT threat scenarios and other relevant news from the field of cyber security and data security.

With the registration I accept the handling of my personal data (§13 GDPR) and agree to the privacy policy.