The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical zero-day remote code execution vulnerability in Microsoft SharePoint Server. This security flaw is currently being exploited by attackers, putting organizations that use SharePoint Server at heightened risk. The vulnerability enables attackers to remotely execute code, which can lead to unauthorized access, compromise of sensitive information, and full control over affected systems—especially when attackers obtain high-privilege accounts like Site Owner permissions.
Key Information about the Vulnerability:
- Microsoft recently addressed this vulnerability with a security patch in July 2024. The flaw, identified as CVE-2024-38094, has been added to CISA’s Known Exploited Vulnerabilities catalog.
- Attackers can take advantage of this flaw by crafting specific API requests, abusing how SharePoint server handles the deserialization of file parameters. This allows them to run malicious code on the server.
- Proof-of-concept exploit code is already publicly available, which increases the potential for attackers to launch widespread attacks.
Current Threat Landscape:
- Cybersecurity experts have observed active attacks that target Microsoft SharePoint Server using this vulnerability.
- While user interaction is not required for these attacks, the attackers do need privileged access, such as Site Owner credentials, to successfully exploit the flaw.
Recommended Actions and Mitigation:
- CISA has directed all federal agencies to find, patch, or remove vulnerable SharePoint servers by November 12, 2024, as required by government cybersecurity policy.
- Though this mandate is specifically for federal agencies, all organizations are urged to prioritize updating and protecting their SharePoint servers.
- It is essential to apply security patches as soon as they are released and to limit the number of accounts with elevated permissions to reduce potential attack surfaces.
- Organizations should regularly update their vulnerability management processes and review privileges assigned to SharePoint accounts.
Background:
- Microsoft SharePoint Server has faced several major remote code execution issues in the past. Attackers have previously taken advantage of such vulnerabilities, some of which have been demonstrated in cybersecurity competitions or reported as critical flaws.
Given the public availability of exploit tools and active attacks, immediate action is necessary to prevent possible breaches and protect organizational assets. Prompt patching and careful management of user permissions are currently the most effective defenses.