Key Takeaways:
- CISA disclosed a critical security flaw in Microsoft SharePoint.
- This vulnerability allows authenticated attackers to remotely inject malicious code.
- Organizations are urged to apply the latest security patches as soon as possible.
The US Cybersecurity and Infrastructure Security Agency (CISA) has disclosed a critical vulnerability in Microsoft SharePoint. This security flaw could enable cybercriminals to remotely inject malicious code into compromised servers.
SharePoint Server is an on-premises version of Microsoft SharePoint that is designed for organizations that prefer to manage their own infrastructure. It allows customers to create, share, and manage content, documents, and applications. This service offers advanced security features and compliance tools to help organizations maintain control over their data.
CISA has included the deserialization vulnerability, tracked as CVE-2024-38094, in its Known Exploited Vulnerabilities (KEV) Catalog. Microsoft has classified this bug as “important,” assigning it a CVSS score of 7.2 out of 10. This flaw arises when an application deserializes untrusted data without adequate validation. It could potentially result in serious risks such as remote code execution, Denial of Service (DoS), and unauthorized actions.
“An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server,” Microsoft explained in a security advisory.
Proof-of-concept exploit for SharePoint flaw now available
Microsoft released the July Patch Tuesday updates to address the security vulnerability in SharePoint. Initially, the company did not categorize this flaw as publicly known or exploited. However, a proof-of-concept (POC) exploit is now available on GitHub, which could increase the risk of exploitation in enterprise environments.
Microsoft has not yet provided further details about the scope of the exploitation or the threat actors exploiting this flaw for malicious purposes. In response, CISA is urging all Federal Civilian Executive Branch (FCEB) agencies to install the latest security patches by November 12.
In case you missed it, Microsoft’s September Patch Tuesday updates also address two critical security flaws (CVE-2024-38018 and CVE-2024-43464) in Microsoft SharePoint. Attackers with Site Member or Site Owner permissions on a SharePoint site could run malicious code on the server.