CVE-2022-41040

HIGH KEV RANSOMWARE

Microsoft Exchange ProxyNotShell RCE

Title source: metasploit

Exploitation Summary

CVE-2022-41040 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 30, 2022, with confirmed use in ransomware campaigns. EIP tracks 11 public exploits from researchers including kljunowsky, TaroballzChen, numanturle, including a Metasploit module exploits/windows/http/exchange_proxynotshell_rce.

AI-analyzed exploit summary This PoC demonstrates CVE-2022-41040, an SSRF vulnerability in Microsoft Exchange Server. It uses `unfurl` and `ffuf` to craft and send malicious requests to target URLs, replacing a placeholder with an attacker-controlled out-of-band (OOB) domain for detection.

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability

Exploits (11)

nomisec WORKING POC 91 stars

by kljunowsky · remote

https://github.com/kljunowsky/CVE-2022-41040-POC

View Code ZIP pw:eip

This PoC demonstrates CVE-2022-41040, an SSRF vulnerability in Microsoft Exchange Server. It uses `unfurl` and `ffuf` to craft and send malicious requests to target URLs, replacing a placeholder with an attacker-controlled out-of-band (OOB) domain for detection.

Classification

Working Poc 90%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server

No auth needed

Prerequisites: Target URLs in `targets.txt` · Out-of-band (OOB) domain for payload delivery · Tools: `unfurl`, `ffuf`, `curl`

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 35 stars

by TaroballzChen · remote

https://github.com/TaroballzChen/CVE-2022-41040-metasploit-ProxyNotShell

View Code ZIP pw:eip

This is a Metasploit module for CVE-2022-41040, an SSRF vulnerability in Microsoft Exchange Server. It includes functionality to test for the vulnerability using DNS callbacks and various payloads.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server

Auth required

Prerequisites: Authenticated access to the Microsoft Exchange Server · Network access to the target server

MITRE ATT&CK

T1189 - Drive-by Compromise T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 19 stars

by numanturle · infoleak

https://github.com/numanturle/CVE-2022-41040

View Code ZIP pw:eip

This repository provides a Nuclei template for detecting CVE-2022-41040, an SSRF vulnerability in Microsoft Exchange Server. The template sends a crafted HTTP request to the Autodiscover endpoint to test for the vulnerability.

Classification

Scanner 80%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Theoretical

Target: Microsoft Exchange Server

No auth needed

Prerequisites: Access to the target Exchange Server's Autodiscover endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 5 stars

by rjsudlow · poc

https://github.com/rjsudlow/proxynotshell-IOC-Checker

View Code ZIP pw:eip

This repository contains a PowerShell script designed to scan for Indicators of Compromise (IOCs) related to CVE-2022-41040 and CVE-2022-41082 (ProxyNotShell vulnerabilities). It checks logs for malicious patterns, known malicious IPs, and post-exploit files.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Exchange Server

No auth needed

Prerequisites: Access to Exchange Server logs · PowerShell execution privileges

MITRE ATT&CK

T1003 - OS Credential Dumping T1027 - Obfuscated Files or Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 5 stars

by d3duct1v · remote

https://github.com/d3duct1v/CVE-2022-41040

View Code ZIP pw:eip

This repository contains a Python-based scanner for CVE-2022-41040, which tests for the presence of the vulnerability by sending a crafted HTTP request to the target server. The scanner checks the response status code to determine if the target is vulnerable.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Exchange Server

No auth needed

Prerequisites: Target URL or list of URLs

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 5 stars

by r3dcl1ff · poc

https://github.com/r3dcl1ff/CVE-2022-41040

View Code ZIP pw:eip

This PowerShell script is a mitigation tool for CVE-2022-41040, an Exchange Server vulnerability. It applies URL rewrite rules to mitigate the vulnerability and includes functionality to rollback mitigations if needed.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server

Auth required

Prerequisites: Administrative access to the Exchange Server · PowerShell execution policy allowing script execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 1 stars

by ITPATJIDR · remote

https://github.com/ITPATJIDR/CVE-2022-41040

View Code ZIP pw:eip

This repository contains a Python script that checks for the presence of CVE-2022-41040, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange. The script sends HTTP requests to a list of URLs and checks for a 404 status code with 'IIS Web Core' in the response to determine vulnerability.

Classification

Scanner 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Exchange Server

No auth needed

Prerequisites: List of target URLs

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by 0-Gram · infoleak

https://github.com/0-Gram/CVE-2022-41040

View Code ZIP pw:eip

This PoC demonstrates an SSRF vulnerability in Microsoft Exchange Server (CVE-2022-41040) by sending crafted requests to the Autodiscover endpoint and checking for callbacks to a collaborator server. It can also test internal URL access if provided.

Classification

Working Poc 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Exchange Server 2013, 2016, 2019

No auth needed

Prerequisites: Target URL · Collaborator server for callback detection

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by CentarisCyber · poc

https://github.com/CentarisCyber/CVE-2022-41040_Mitigation

View Code ZIP pw:eip

This repository contains a PowerShell script (EOMTv2.ps1) designed to mitigate CVE-2022-41040, a vulnerability in Microsoft Exchange Server. The script applies URL rewrite rules to block known attack patterns and includes functionality to rollback mitigations if needed.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server (versions affected by CVE-2022-41040)

Auth required

Prerequisites: Administrative access to the target system · IIS with URL Rewrite module installed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Orange Tsai, Spencer McIntyre, DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Piotr Bazydło, Rich Warren, Soroush Dalili · rubypocwindows

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxynotshell_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-41040 (SSRF) and CVE-2022-41082 (deserialization) to achieve RCE on Microsoft Exchange Server 2019. It chains SSRF to access the PowerShell backend and leverages a .NET deserialization gadget for code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft Exchange Server 2019

Auth required

Prerequisites: valid Exchange credentials · Exchange Server 2019 · network access to port 443

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 24, 2026 Full analysis →

patchapalooza WORKING POC

by testanull · remote

https://github.com/testanull/ProxyNotShell-PoC

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2022-41040 and CVE-2022-41082 (ProxyNotShell), targeting Microsoft Exchange Server. The exploit leverages PowerShell remoting to achieve remote code execution by crafting malicious SOAP requests.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server

Auth required

Prerequisites: valid credentials · network access to Exchange Server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (6)

Core 6

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html

Mitigation, Patch, Vendor Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040

Third Party Advisory, US Government Resource

https://www.kb.cert.org/vuls/id/915563

Third Party Advisory

https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41040

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040

Scores

CVSS v3 8.8

EPSS 0.9415

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-09-30

VulnCheck KEV 2022-09-29

InTheWild.io 2022-09-30

ENISA EUVD EUVD-2022-44285

Ransomware Use Confirmed

CWE

CWE-918

Status published

Products (3)

microsoft/exchange_server 2013 cumulative_update_23

microsoft/exchange_server 2016 cumulative_update_22 (2 CPE variants)

microsoft/exchange_server 2019 cumulative_update_11 (2 CPE variants)

Published Oct 03, 2022

KEV Added Sep 30, 2022

Tracked Since Feb 18, 2026