CISA Adds Microsoft SharePoint Vulnerability to Known Exploited Vulnerabilities Catalogue; Active Exploitation Reported

October 23, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw in Microsoft SharePoint to its Known Exploited Vulnerabilities (KEV) catalog, following evidence of active exploitation. The vulnerability, designated as CVE-2024-38094, is a deserialization vulnerability that could lead to remote code execution. Microsoft explained in an alert, "An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server." The company has released patches for this security defect as part of its July 2024 Patch Tuesday updates.

The threat from this vulnerability is increased by the availability of proof-of-concept (PoC) exploits in the public domain. According to SOCRadar, the PoC script "automates authentication to a target SharePoint site using NTLM, creates a specific folder and file, and sends a crafted XML payload to trigger the vulnerability in the SharePoint client API." At present, there are no reports about how CVE-2024-38094 is being exploited in the wild.

In response to the active exploitation of this vulnerability, Federal Civilian Executive Branch (FCEB) agencies are required to apply the latest fixes by November 12, 2024, to secure their networks.

This news comes as Google's Threat Analysis Group (TAG) disclosed that a previously patched zero-day flaw in Samsung's mobile processors has been weaponized to achieve arbitrary code execution. This vulnerability, assigned the identifier CVE-2024-44068, was patched by Samsung on October 7, 2024. The company described it as a "use-after-free in the mobile processor [that] leads to privilege escalation." Google TAG researchers Xingyu Jin and Clement Lecigne reported that a zero-day exploit for this vulnerability is being used as part of a privilege escalation chain. They stated, "The actor is able to execute arbitrary code in a privileged cameraserver process. The exploit also renamed the process name itself to 'vendor.samsung.hardware.camera.provider@3.0-service,' probably for anti-forensic purposes."

CISA has also proposed new security requirements to prevent bulk access to sensitive personal data or government-related data by countries of concern and covered persons. These requirements stipulate that organizations should remediate known exploited vulnerabilities within 14 calendar days, critical vulnerabilities with no exploit within 15 calendar days, and high-severity vulnerabilities with no exploits within 30 calendar days. CISA emphasized the necessity of maintaining audit logs of accesses and developing identity management processes and systems for data access.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.