Simulating and Preventing ProxyShell Exchange Exploits

Picus Labs has updated the Picus Threat Library with attacks that exploit ProxyShell vulnerabilities affecting Microsoft Exchange Server. We also updated the Picus Mitigation Library with prevention signatures of network security controls. 

What are the ProxyShell Vulnerabilities?

ProxyShell is a set of the following three vulnerabilities discovered by security researcher Orange Tsai that can be leveraged to gain control of Microsoft Exchange email servers.

CVE-2021-34473: It is a pre-authentication remote code execution vulnerability that allows adversaries to remotely execute malware on a vulnerable system. Its CVSS 3.1 base score is “9.8 Critical”.

CVE-2021-34523: Due to a weakness in the PowerShell service not correctly validating access tokens, CVE-2021-34523 allows adversaries to execute arbitrary code on Microsoft Exchange servers after authentication

CVE-2021-31207: It allows adversaries to execute arbitrary code in the context of SYSTEM and write arbitrary files.

Affected Microsoft Exchange Server versions are 2013, 2016, and 2019.

What is the Impact of ProxyShell?

Adversaries use these three chained Microsoft Exchange Server vulnerabilities to run malicious codes and install webshells as backdoors on vulnerable systems for maintaining access and post-exploitation.

What is the Current Situation?

Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing ProxyShell. Huntress Labs analyzed Microsoft Exchange servers that hacked with ProxyShell and discovered more than 140 different web shells on more than 1,900 Exchange servers. Although these vulnerabilities were patched four months ago, according to Shodan, almost 50.000 Exchange servers from a total of 240.000 systems are unpatched and vulnerable to attacks as of August 23, 2021.

What Should You Do?

CVE-2021-34473 and CVE-2021-34523 were patched in April and disclosed in July by Microsoft, while CVE-2021-31207 was disclosed and patched in May. To protect against these attacks, we highly advise organizations to identify vulnerable systems on their networks and apply Microsoft's Security Update from May 2021 (at a minimum), which fixes all three ProxyShell vulnerabilities.

How Picus Helps Simulate and Prevent ProxyShell Exploits?

We also strongly suggest simulating ProxyShell vulnerabilities to test the effectiveness of your security controls against ProxyShell attacks using the Picus Security Control Validation Platform. Picus Threat Library includes the following threats for ProxyShell vulnerabilities. Moreover, it contains 1500+ vulnerability exploitation and endpoint attacks in addition to 10.500+ other threats as of today.

Picus ID

Threat Name



ProxyShell URL Normalization Bypass via AutoDiscover Endpoint Variant-1



ProxyShell URL Normalization Bypass via AutoDiscover Endpoint Variant-2



ProxyShell URL Normalization Bypass via AutoDiscover Endpoint Variant-3



ProxyShell Privilege Elevation Attack via AutoDiscover Endpoint Variant-1



ProxyShell Post-auth Arbitrary File Write via AutoDiscover Endpoint Variant-1


Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address ProxyShell and other vulnerability exploitation attacks in preventive security controls. 

Security Control

Signature ID

Signature Name

Snort IPS


SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Cisco Firepower NGFW


SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Trend Micro TippingPoint IPS


HTTP: Microsoft Exchange Server Autodiscover SSRF Vulnerability (PWN2OWN ZDI-21-821)

Palo Alto Networks NGFW


Microsoft Exchange Server SSRF Vulnerability

Palo Alto Networks NGFW


Microsoft Exchange SSRF Execution Vulnerability

Forcepoint NGFW



Forcepoint NGFW



Forcepoint NGFW



FortiGate IPS



We will update the above list when Picus Labs validate the signatures of other vendors/products.