Microsoft has updated the mitigations for the latest Exchange zero-day vulnerabilities tracked as CVE-2022–41040 and CVE-2022–41082, also referred to ProxyNotShell.
The initial recommendations were insufficient as researchers showed that they can be easily bypassed to allow new attacks exploiting the two bugs.
Unfortunately, the current recommendations are still not enough and the proposed mitigation can still allow ProxyNotShell attacks.
Comments are closed.