CISA reports active exploitation of Microsoft SharePoint RCE flaw
Take action: If you are running Microsoft SharePoint Server, and haven't patched it since June 2024 or before, start patching IMMEDIATELY. Yes, the attackers need an authenticated session, but there are too many users of a SharePoint server, and some will be phished.
Learn More
A high-severity vulnerability in Microsoft SharePoint, has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) due to active exploitation evidence.
The flaw, tracked as CVE-2024-38094 (CVSS score 7.2) is a deserialization vulnerability that can be exploited by an attacker with Site Owner permissions to inject and execute arbitrary code within SharePoint Server. The attack requires authentication, but it can be executed remotely over the network.
Proof-of-concept (PoC) code for this vulnerability has been made publicly available, increasing the exploitation risk. The PoC automates authentication to a target SharePoint site using NTLM, creates a folder and file, and sends a crafted XML payload to trigger the vulnerability within the SharePoint client API.
An attacker with authenticated access and Site Owner permissions can use this vulnerability to execute arbitrary code within SharePoint Server. This could lead to the compromise of the SharePoint environment, potentially affecting confidential data and enabling further attacks within the network.
All versions of Microsoft SharePoint Server prior to the patches provided as part of the July 2024 Patch Tuesday updates are affected.
Microsoft has released patches addressing this flaw in the July 2024 security updates. Organizations using SharePoint should apply the patches immediately to mitigate the risk of exploitation.
