57,000 unpatched Exchange servers are still vulnerable to RCE vulnerability

More than 57,000 Microsoft Exchange servers worldwide are still vulnerable to the vulnerabilities known as ProxyNotShell. Microsoft released an update for these remote code execution vulnerabilities in early November.

The non-profit security organization Shadowserver keeps track of which Microsoft Exchange servers have not yet been updated and says there Monday there were still 57268 servers that did not have the correct version number. More than half, almost thirty thousand servers, are located in Europe. Seventeen thousand are in North America and more than six thousand servers are in China.

Shadowserver has been tracking the ProxyNotShell vulnerability for some time and, for example, said on December 26 that there were still nearly 70,000 vulnerable Exchange servers, most of them in the United States and Germany.

ProxyNotShell consists of two vulnerabilities that Microsoft first warned about at the end of September. At that time, these were already actively exploited vulnerabilities that together let criminals perform a remote code execution, provided they have access to PowerShell and authenticated access to the vulnerable Exchange Servers.

At the time, Microsoft advised users to take measures that could stop the attacks, but according to Shadowserver, malicious parties can now circumvent those measures. This is a Server-Side Request Forgery vulnerability CVE-2022-41040 and CVE-2022-41082. At the beginning of November, Microsoft released an update for the vulnerabilities.

Now around 57K in latest scans (for Jan 3rd). Let’s get these numbers down! #ProxyNotShell

— Shadow server (@Shadow server) January 4, 2023