CVE-2022-41080

HIGH KEV RANSOMWARE

Microsoft Exchange Server - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2022-41080 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 10, 2023, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including ohnonoyesyes, balki97.

AI-analyzed exploit summary This repository contains a writeup and reference to CVE-2022-41080, which is part of the OWASSRF exploit chain affecting Microsoft Exchange. It describes the vulnerability and its use in ransomware attacks but does not include functional exploit code.

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability

Exploits (2)

nomisec WRITEUP 1 stars

by ohnonoyesyes · remote-auth

https://github.com/ohnonoyesyes/CVE-2022-41080

View Code ZIP pw:eip

This repository contains a writeup and reference to CVE-2022-41080, which is part of the OWASSRF exploit chain affecting Microsoft Exchange. It describes the vulnerability and its use in ransomware attacks but does not include functional exploit code.

Classification

Writeup 90%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Theoretical

Target: Microsoft Exchange (specific version not specified)

No auth needed

Prerequisites: Access to Outlook Web Access (OWA) · Vulnerable Microsoft Exchange server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

patchapalooza WORKING POC

by balki97 · remote-auth

https://github.com/balki97/OWASSRF-CVE-2022-41082-POC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-41082, a post-authentication RCE vulnerability in Microsoft Exchange Server (ProxyNotShell). It includes a Python-based PoC that leverages OWASSRF to execute arbitrary commands via PowerShell remoting, along with a PowerShell script for privilege escalation (TabShell, CVE-2022-41076).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server 2013, 2016, 2019 (pre-November 2022 patch)

Auth required

Prerequisites: Valid Exchange credentials · Network access to OWA endpoint · Unpatched Exchange Server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41080

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41080

Scores

CVSS v3 8.8

EPSS 0.9379

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2023-01-10

VulnCheck KEV 2022-12-20

InTheWild.io 2022-12-21

ENISA EUVD EUVD-2022-44324

Ransomware Use Confirmed

Status published

Products (3)

microsoft/exchange_server 2013 cumulative_update_23

microsoft/exchange_server 2016 cumulative_update_22 (2 CPE variants)

microsoft/exchange_server 2019 cumulative_update_11 (2 CPE variants)

Published Nov 09, 2022

KEV Added Jan 10, 2023

Tracked Since Feb 18, 2026