18.11.2022 - The NCSC is aware of over 2,800 Microsoft Exchange servers in Switzerland that have a ProxyNotShell critical vulnerability. As these Exchange servers are connected to the internet and accessible from everywhere, it is possible for attackers to exploit the vulnerability remotely and execute code (Remote Code Execution Vulnerability – RCE). Therefore, attackers can exploit the vulnerability to compromise Microsoft Exchange Server.
The vulnerability was discovered in September 2022 and is already being actively exploited by cybercriminals (zero-day exploit). On this month's Patch Tuesday, on 8 November 2022, Microsoft published a corresponding patch that fixes the vulnerability:
Microsoft Exchange Server Remote Code Execution Vulnerability («ProxyNotShell»):
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082
NCSC calls for security patches to be installed
Although the patch has already been available for a fortnight and the vulnerability is being actively exploited, over 2,800 Microsoft Exchange servers in Switzerland have still not been patched.
As early as March 2021 critical vulnerabilities of a similar magnitude were discovered in Microsoft Exchange, prompting the NCSC to notify affected businesses of the vulnerability by registered letter.
Recommended measures
The NCSC recommends that operators of Microsoft Exchange servers should ensure that all patches have been installed. Highly critical patches should be applied as quickly as possible, i.e. outside the regular maintenance windows.
- Make sure that you have applied a current Cumulative Update (CU) with all corresponding Security Updates (Nov22SU).
- Check your Exchange Server with the HealthChecker provided by Microsoft:
https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/. - Scan your Exchange Server with up-to-date anti-virus software.
- Review your patch strategy and ensure that critical security updates are installed outside of maintenance windows.
Taking personal responsibility
Insofar as they are known and can be identified, businesses that have not applied the necessary security patches by the beginning of December 2022 will once again be notified by the NCSC by registered letter. At the same time, the NCSC is also appealing to businesses and critical infrastructure operators to take responsibility for their own security, emphasising the risk of being compromised and the associated damage (ransomware, data theft).
Last modification 18.11.2022