CVE-2022-41082

HIGH KEV RANSOMWARE

Microsoft Exchange Server - Remote Code Execution via Untrusted Data Deserialization

Title source: llm

Exploitation Summary

CVE-2022-41082 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 30, 2022, with confirmed use in ransomware campaigns. EIP tracks 12 public exploits from researchers including balki97, Diverto, soltanali0, including a Metasploit module exploits/windows/http/exchange_proxynotshell_rce.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2022-41082, a post-auth RCE vulnerability in Microsoft Exchange (ProxyNotShell OWASSRF). It includes a Python script to exploit the vulnerability and a PowerShell script (TabShell.ps1) for privilege escalation via CVE-2022-41076.

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Exploits (12)

nomisec WORKING POC 95 stars

by balki97 · remote-auth

https://github.com/balki97/OWASSRF-CVE-2022-41082-POC

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2022-41082, a post-auth RCE vulnerability in Microsoft Exchange (ProxyNotShell OWASSRF). It includes a Python script to exploit the vulnerability and a PowerShell script (TabShell.ps1) for privilege escalation via CVE-2022-41076.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server 2013, 2016, 2019 (pre-November 2022 patch)

Auth required

Prerequisites: Valid credentials for Exchange OWA · Network access to target Exchange server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 80 stars

by Diverto · infoleak

https://github.com/Diverto/nse-exchange

View Code ZIP pw:eip

This repository provides an Nmap NSE script to detect the presence of CVE-2022-41082, a Microsoft Exchange vulnerability. It checks for virtual patching or workarounds but does not include exploit code for achieving RCE.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Exchange Server (unpatched versions affected by CVE-2022-41082)

No auth needed

Prerequisites: Network access to target Exchange server · Port 443 (HTTPS) open and accessible

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by soltanali0 · poc

https://github.com/soltanali0/CVE-2022-41082

View Code ZIP pw:eip

This repository contains a Python-based PoC for CVE-2022-41082, an OWASSRF vulnerability in Microsoft Exchange servers. The exploit bypasses authentication and executes arbitrary commands via PowerShell, potentially leading to remote code execution (RCE).

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server

Auth required

Prerequisites: Valid credentials for an Exchange user · Network access to the target Exchange server · Remote PowerShell access enabled for at least one user

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 3 stars

by notareaperbutDR34P3r · infoleak

https://github.com/notareaperbutDR34P3r/http-vuln-CVE-2022-41082

View Code ZIP pw:eip

This repository provides an Nmap NSE script to scan for CVE-2022-41082, a Microsoft Exchange Server Remote Code Execution Vulnerability. It includes instructions for checking both HTTP and HTTPS endpoints.

Classification

Scanner 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: Microsoft Exchange Server

No auth needed

Prerequisites: Nmap with NSE support · Network access to target Exchange Server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 2 stars

by SUPRAAA-1337 · infoleak

https://github.com/SUPRAAA-1337/CVE-2022-41082

View Code ZIP pw:eip

This YAML file is a Nuclei template designed to detect CVE-2022-41082, a Microsoft Exchange Server vulnerability, by sending a crafted HTTP request to the autodiscover endpoint and checking for specific response patterns (401 status and 'x-owa-version' header). It does not contain exploit code but serves as a detection mechanism.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Exchange Server

No auth needed

Prerequisites: Network access to the target Exchange Server

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec NO CODE 2 stars

by sikkertech · remote

https://github.com/sikkertech/CVE-2022-41082

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by bigherocenter · remote-auth

https://github.com/bigherocenter/CVE-2022-41082-POC

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2022-41082, a post-auth RCE vulnerability in Microsoft Exchange (ProxyNotShell OWASSRF). It includes a Python script for exploitation and a PowerShell script (TabShell.ps1) for privilege escalation via CVE-2022-41076.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server 2013, 2016, 2019 (pre-November 2022 patch)

Auth required

Prerequisites: Valid Exchange credentials · Network access to OWA endpoint

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1021.002 - SMB/Windows Admin Shares

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by CyprianAtsyor · poc

https://github.com/CyprianAtsyor/LetsDefend-CVE-2022-41082-Exploitation-Attempt

View Code ZIP pw:eip

This repository is a detailed writeup and incident report on an attempted exploitation of CVE-2022-41082, a critical RCE vulnerability in Microsoft Exchange Server. It includes analysis of the attack, mitigation strategies, and detection methods.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server 2013, 2016, 2019

No auth needed

Prerequisites: Access to the PowerShell endpoint on an exposed Exchange Server · CVE-2022-41040 for bypassing authentication

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER

by notareaperbutDR34P3r · infoleak

https://github.com/notareaperbutDR34P3r/vuln-CVE-2022-41082

View Code ZIP pw:eip

This repository provides an Nmap script to scan for CVE-2022-41082, a vulnerability in Microsoft Exchange Server. It does not include exploit code but offers a detection method for both HTTP and HTTPS services.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Exchange Server (versions affected by CVE-2022-41082)

No auth needed

Prerequisites: Nmap installed · Network access to target

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Orange Tsai, Spencer McIntyre, DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Piotr Bazydło, Rich Warren, Soroush Dalili · rubypocwindows

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxynotshell_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-41040 (SSRF) and CVE-2022-41082 (deserialization) to achieve RCE on Microsoft Exchange Server 2019 via authenticated Powershell backend interaction.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server 2019

Auth required

Prerequisites: Valid Exchange credentials · Exchange Server 2019 · Network access to port 443

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1021.002 - SMB/Windows Admin Shares

devstral-2 · analyzed Feb 16, 2026 Full analysis →

patchapalooza SCANNER

by ZephrFish · remote

https://github.com/ZephrFish/NotProxyShellScanner

View Code ZIP pw:eip

This repository contains a Python-based scanner for detecting CVE-2022-40140 and CVE-2022-41082 (NotProxyShell) vulnerabilities in Microsoft Exchange Server. It sends crafted HTTP requests to the target and checks for specific response patterns to determine potential vulnerability.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Exchange Server

No auth needed

Prerequisites: known email address of the target organization · known domain of the target organization

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 23, 2026 Full analysis →

patchapalooza SCANNER

by NitinYadav00 · remote

https://github.com/NitinYadav00/Exploit-Microsoft-Exchange-Server-

View Code ZIP pw:eip

The repository contains a script that automates domain discovery and Nmap scanning for CVE-2022-41082 (ProxyNotShell) using a custom NSE script. It does not include functional exploit code but aids in vulnerability detection.

Classification

Scanner 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server 2013, 2016, 2019

No auth needed

Prerequisites: subfinder · nmap · proxynotshell_checker.nse

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (8)

Core 8

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html

Patch, Vendor Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41082

Third Party Advisory, US Government Resource

https://www.kb.cert.org/vuls/id/915563

Third Party Advisory

https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/

Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2022-41082-microsoft-exchange-server-remote-code-execution-vulnerability-detection-script

Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2022-41082-microsoft-exchange-server-remote-code-execution-vulnerability-mitigation-script

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41082

Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082

Scores

CVSS v3 8.0

EPSS 0.9996

EPSS Percentile 100.0%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-09-30

VulnCheck KEV 2022-09-29

InTheWild.io 2022-09-30

ENISA EUVD EUVD-2022-44326

Ransomware Use Confirmed

CWE

CWE-502

Status published

Products (3)

microsoft/exchange_server 2013 cumulative_update_23

microsoft/exchange_server 2016 cumulative_update_22 (2 CPE variants)

microsoft/exchange_server 2019 cumulative_update_11 (2 CPE variants)

Published Oct 03, 2022

KEV Added Sep 30, 2022

Tracked Since Feb 18, 2026