The US cybersecurity agency CISA on Tuesday warned that a recently patched remote code execution (RCE) vulnerability in Microsoft SharePoint Server has been exploited in the wild.
The issue, tracked as CVE-2024-38094 (CVSS score of 7.2) and addressed with July 2024 Patch Tuesday updates, can be exploited over the network without user interaction, but requires authentication as a highly privileged user.
“An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server,” Microsoft explains in its advisory.
According to a Qualys assessment, the bug resembles CVE-2024-38024, which can be exploited using “specialized API requests to trigger deserialization of file’s parameters” and execute arbitrary code on the SharePoint server.
Two days after Microsoft rolled out the July 2024 security updates, SocRadar warned that proof-of-concept (PoC) code targeting both vulnerabilities and CVE-2024-38023, another RCE bug in SharePoint, had been released.
On Tuesday, CISA added CVE-2024-38094 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply Microsoft’s fixes as soon as possible.
There do not appear to be any public reports describing the attacks exploiting CVE-2024-38094.
Per Binding Operational Directive (BOD) 22-01, federal agencies have until November 12 to identify vulnerable SharePoint instances within their environments and patch or remove them.
“Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice,” CISA notes.
Threat actors are known to have exploited SharePoint defects for which patches had been released. This year alone, CISA warned of the in-the-wild exploitation of three such flaws: one demonstrated at Pwn2Own, one patched in June 2023, and CVE-2024-38094.
Related: Roundcube Webmail Vulnerability Exploited in Government Attack
Related: Microsoft’s Take on Kernel Access and Safe Deployment Following CrowdStrike Incident
Related: Microsoft Adds Support for Post-Quantum Algorithms in SymCrypt Library
Related: Windows Flaw Exploited to Deliver PowerShell Backdoor
