Summary: A critical deserialization vulnerability in Microsoft SharePoint, identified as CVE-2024-38094, is currently being exploited, posing significant risks to federal enterprises. The flaw allows authenticated attackers with Site Owner permissions to execute arbitrary code remotely, emphasizing the urgency for patching.
Threat Actor: Malicious cyber actors | malicious cyber actors
Victim: Federal enterprises | federal enterprises
Key Point :
- The vulnerability has a CVSS score of 7.2, indicating high severity.
- Patches were released in July, but exploitation is ongoing, with a proof-of-concept available on GitHub.
- Federal agencies must implement the latest fixes by November 12 to mitigate risks.
A high-severity flaw in Microsoft SharePoint, tracked as CVE-2024-38094, is under active exploit.
The bug is a deserialization vulnerability, which is often used as attack vectors by malicious cyber actors and poses a serious threat to federal enterprises. If successfully exploited, it could give threat actors remote code execution capabilities. The vulnerability has earned a CVSS score of 7.2 out of 10.
“An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server,” Microsoft reported in an alert.
Patches for the flaw were released in July as part of a series of Patch Tuesday updates, and it has since been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog.
The risk of potential continued exploitation of the vulnerability is further heightened due to the fact that a proof-of-concept is now available on GitHub for public viewing.
No additional details about how the vulnerability is being actively exploited have been shared, but due to these developments, Federal Civilian Executive Branch (FCEB) agencies are required to apply the latest fixes by Nov. 12.
Source: https://www.darkreading.com/vulnerabilities-threats/microsoft-sharepoint-vuln-active-exploit