Article Details

Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch. Plus, a POC to make it extra easy for attackers. A Microsoft SharePoint bug that can allow an attacker to remotely inject code into vulnerable versions is under active exploitation, according to the US Cybersecurity and Infrastructure Security Agency (CISA). CISA added the deserialization vulnerability, tracked as CVE-2024-38094, to its Known Exploited Vulnerabilities Catalog and noted that it's "unknown" whether this security flaw is being used in any ransomware campaigns. Microsoft originally patched the hole during its July Patch Tuesday extravaganza, and while it wasn't listed as exploited or publicly known at the time, Redmond did note that exploitation was "more likely." "An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server," according to the July 9 security update. Microsoft deemed the bug "important," and it earned a 7.2 out of 10 CVSS severity rating.  The Windows giant did not immediately respond to The Register's questions, including the scope of the exploitation and who is abusing the flaw and for what nefarious purposes. Plus there's at least one proof-of-concept (POC) exploit out there, so the risk of miscreants finding and abusing this bug is even greater — and now they don't even need to write the code themselves. Now that it's been added to Uncle Sam's KEV, all Federal Civilian Executive Branch agencies must apply the Microsoft fix no later than November 12. Although this mandate only applies to FCEB agencies, "CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation" of CVEs listed in the catalog. We second this recommendation, and would suggest patching as soon as possible. Microsoft also addressed two critical SharePoint Server flaws, CVE-2024-38018 and CVE-2024-43464, in its September Patch Tuesday event. If exploited, these could allow attackers with Site Member and Site Owner permissions to execute code remotely.