Security researchers at the Shadowserver Foundation, a non-profit dedicated to improving internet security, have found that over 60,000 Microsoft Exchange servers have been left unpatched and are still vulnerable to ProxyNotShell attacks based on their x_owa_version header. The exact number of vulnerable Microsoft Exchange servers was logged as 60,865 by the organization on January 2nd – a decrease from the 83,946 instances discovered in mid-December.
ProxyNotShell is composed of two separate vulnerabilities, CVE-2022-41082 and CVE-2022-41040, and affect Exchange Server 2013, 2016, and 2019. Successful exploitation allows the attacker to escalate privileges and gain arbitrary or remote code execution on victim servers. Mitigation measures are available for ProxyNotShell, but some have been bypassed by attackers. These vulnerabilities were officially patched by Microsoft in the November 2022 Patch Tuesday.