"At Least 30,000 Internet-Exposed Exchange Servers Vulnerable to ProxyShell Attacks"
A series of vulnerabilities called ProxyShell impact at least 30,000 Internet-exposed Microsoft Exchange servers. The ProxyShell vulnerabilities can be chained for unauthenticated remote code execution, thus allowing an attacker to take over an Exchange server. Microsoft released patches for the vulnerabilities in mid-April, and advisories were published for them in May and July. Researcher Kevin Beamont reported that attackers had begun scanning the Internet for vulnerable Exchange servers. He said his Exchange honeypot had recorded attempts to drop files and execute commands. The threat intelligence company Bad Packets has also reported seeing ProxyShell events. A Shodan search by the SANS Institute's Jan Kopriva showed that about 30,000 Exchange servers are vulnerable to the three ProxyShell vulnerabilities. However, Kopriva warned that the number of vulnerable Exchange servers could increase significantly over the coming days since Shodan likely had not scanned the whole Internet by the time he did the search. This article continues to discuss the vulnerability of tens of thousands of Internet-exposed Microsoft Exchange servers to ProxyShell attacks.