A vulnerability in Microsoft SharePoint servers has turned into a major security threat, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding the flaw to its Known Exploited Vulnerabilities (KEV) list. Identified as CVE-2024-38094, the deserialization flaw allows attackers with sufficient permissions to run arbitrary code remotely, posing a serious risk to unpatched systems. Organizations are urged to act fast to close this gap.
Exploitation Confirmed After Three-Month Patch Lag
The vulnerability, initially addressed in Microsoft’s July 2024 Patch Tuesday, has since been confirmed to be actively exploited, despite warnings from Microsoft at the time of patching that exploitation was “more likely.” However, many systems remain vulnerable as organizations delayed updating their SharePoint servers, which has now led to attackers taking advantage of the flaw.
The root of this issue is tied to how SharePoint handles untrusted data. A deserialization problem allows authenticated users with Site Owner rights to inject malicious code that can be executed on the SharePoint server itself. The flaw affects versions such as SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
SharePoint Site Owners have the highest level of control over a site. They can create, delete, and customize sites, manage content and permissions, and administer site collections. The extensive authority makes them responsible for the overall health, security, and performance of a SharePoint site.
Microsoft flagged the risk level with a CVSS score of 7.2, indicating a high severity. Yet, despite a patch being available since July, the vulnerability has now been exploited in the wild.
CISA Mandates Federal Agencies Patch by November 12
In response to the active exploitation, CISA has given federal civilian agencies a deadline of November 12, 2024, to apply the necessary patches. This is part of Binding Operational Directive (BOD) 22-01, a policy designed to reduce risks associated with known vulnerabilities across government networks. While this directive is specific to federal agencies, CISA strongly encourages private sector organizations to address the flaw immediately.
The risk has escalated as a Proof-of-Concept (PoC) exploit code has surfaced, allowing cybercriminals to exploit the vulnerability without needing to develop their own methods. With this PoC now available, even less sophisticated attackers can attempt to breach vulnerable systems, further widening the risk.
Other SharePoint Vulnerabilities Also Patched
While CVE-2024-38094 is the most pressing concern, it isn’t the only vulnerability in SharePoint. In its September 2024 patch release, Microsoft also addressed two additional flaws, CVE-2024-38018 and CVE-2024-43464, which allow code execution by attackers with lower-level permissions. Both vulnerabilities underscore the importance of keeping SharePoint servers fully up to date.
Last Updated on November 7, 2024 2:22 pm CET
