ProxyNotShell— the story of the claimed zero days in Microsoft Exchange

Yesterday, cybersecurity vendor GTSC Cyber Security dropped a blog saying they had detected exploitation of a new Microsoft Exchange zero day:

Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server | Blog | GTSC — Cung cấp các dịch vụ bảo mật toàn diện (gteltsc.vn)

If a zero day in Exchange was real, history has shown things go south quickly… so let us dig into it.

The official logo, because why not.

You can see ZDI confirm they accepted it here as ZDI-CAN-18333 and ZDI-18802

There’s some questions I have from the GTSC write up, e.g.:

That request string looks exactly like ProxyShell, a vulnerability from 2021.

Additionally, the mitigation they give is exactly the same as the ProxyShell Powershell RCE issue from 2021:

My tweet about that path at the time:

I doubt, from experience, by earlier today it had been through full triage yet at Microsoft, so some of the information out there will be questionable. (Update below)

A quick sweep of the internet suggests a lot of organisations haven’t yet patched for ProxyShell, which is understandable given how Exchange patching works (if you disagree, you likely haven’t patched Exchange).

Update: Microsoft have been through triage now, and issued CVE-2022–41040 and CVE-2022–41082. These are two new zero day vulnerabilities in Exchange. It appears the ProxyShell patches…