Just months after ProxyLogon, summer 2021 brought another series of critical Microsoft Exchange vulnerabilities. ProxyShell — a chain of three CVEs — allowed arbitrary code execution on any internet-accessible Exchange on-premises server, without authentication.
The ProxyShell Chain
ProxyShell combines three distinct vulnerabilities to achieve full remote code execution.
CVE-2021-34473 — Path Confusion / Auth Bypass (CVSS 9.8)
A flaw in Exchange's proxy architecture allows bypassing the URL normalization ACL. By crafting a request with a specific path, an attacker can reach normally protected Exchange backend endpoints, impersonating the SYSTEM account.
CVE-2021-34523 — Privilege Escalation (CVSS 9.8)
The Exchange PowerShell backend doesn't properly verify permissions. Combined with CVE-2021-34473, the attacker can execute Exchange PowerShell cmdlets with SYSTEM privileges, without needing a valid Exchange account.
CVE-2021-31207 — Arbitrary File Write (CVSS 7.2)
A mailbox export task scheduling feature in Exchange allows writing arbitrary files to the filesystem, including to publicly accessible IIS directories.
The Full Chain
CVE-2021-34473 → Access Exchange backend as SYSTEM
CVE-2021-34523 → Execute Exchange PowerShell cmdlets
CVE-2021-31207 → Write .aspx web shell to /owa/
→ Full unauthenticated RCE
Affected versions:
- Exchange Server 2013 Cumulative Update 23
- Exchange Server 2016 CU 18, 19
- Exchange Server 2019 CU 7, 8
Timeline: From Conference to Mass Exploitation
| Date | Event |
|---|---|
| April 13, 2021 | Orange Tsai presents vulnerabilities at Pwn2Own |
| May 11, 2021 | Microsoft patches the CVEs in Patch Tuesday |
| August 5, 2021 | Orange Tsai presents details at Black Hat USA |
| August 6–10, 2021 | Mass exploitation by threat actors |
| August–September 2021 | Web shells deployed on thousands of servers |
Mass exploitation began the day after the Black Hat presentation, when threat actors reverse-engineered the exploit from the talk.
Groups That Exploited ProxyShell
- Conti ransomware: used in encryption campaigns
- LockFile ransomware: exploited ProxyShell for initial access, then PetitPotam for lateral movement
- Squirrelwaffle: malware downloader distributed via spam campaigns from compromised Exchange servers
- State-sponsored APTs (China, Iran)
A particularly problematic detail about Squirrelwaffle: attackers used compromised Exchange servers to send malicious emails from legitimate corporate domains, with real reply threads, making detection very difficult.
Differences from ProxyLogon
| ProxyLogon | ProxyShell | |
|---|---|---|
| CVEs | CVE-2021-26855, -26857, -26858, -27065 | CVE-2021-34473, -34523, -31207 |
| Patch | March 2021 | May 2021 |
| Mass exploitation | March 2021 (zero-day) | August 2021 (post-Black Hat) |
| Complexity | Moderate | More complex |
| Actors | State APTs (HAFNIUM) | Broad cybercriminal spectrum |
Detecting ProxyShell
ProxyShell-Specific Web Shells
Web shells dropped via ProxyShell are typically found in:
C:\inetpub\wwwroot\aspnet_client\
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
Typical names: .aspx files with randomly generated names (e.g., shelljfdks.aspx)
IIS Logs
# Look for POST requests to .aspx files in OWA directories
Select-String -Path "C:\inetpub\logs\LogFiles\W3SVC1\*.log" `
-Pattern "POST.*\.aspx" | Where-Object { $_ -match "owa|aspnet_client" }
Suspicious Exchange PowerShell Cmdlets in Logs
# Check recent mailbox exports
Get-MailboxExportRequest | Where-Object { $_.Status -eq "Completed" }
# Exports to unusual directories = strong indicator
Get-MailboxExportRequest | Select-Object FilePath, Status, RequestedDateTime
Remediation
1. Apply Exchange Patches
All three CVEs are fixed in the May 2021 Cumulative Updates. Check your CU level and apply updates.
2. Remove Web Shells
# Scan Exchange web directories
Get-ChildItem -Path "C:\inetpub\wwwroot" -Recurse -Include "*.aspx" |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddMonths(-6) } |
Select-Object FullName, LastWriteTime
3. Remove Malicious Export Tasks
# Remove all mailbox export tasks
Get-MailboxExportRequest | Remove-MailboxExportRequest -Confirm:$false
4. Reset Credentials
Change passwords for all Exchange accounts and Active Directory administrators.
Beyond ProxyShell: ProxyNotShell (2022)
In 2022, two new Exchange CVEs (CVE-2022-41040 and CVE-2022-41082) — dubbed ProxyNotShell — followed a similar mechanism. The trend is clear: on-premises Exchange is a permanent target requiring continuous CVE monitoring.
Track all Microsoft Exchange CVEs on cveo.tech — register your version in your asset inventory for automatic alerts.