A critical vulnerability affecting Microsoft SharePoint, identified as CVE-2024-38094, has been recently incorporated into the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. This adds urgency as CISA has flagged the issue, citing active exploitation in the wild.
This high-severity vulnerability, which carries a CVSS score of 7.2, is classified as a deserialization issue that may enable remote code execution. According to Microsoft, an attacker with Site Owner permissions can exploit this vulnerability to inject arbitrary code, which would execute within the context of the SharePoint Server.
Microsoft previously issued patches for this flaw during its July 2024 Patch Tuesday updates, making it imperative for organizations to stay up to date. However, the situation is exacerbated by the existence of publicly available proof-of-concept (PoC) exploits, which facilitate exploitation attempts against unpatched systems.
As noted by cybersecurity firm SOCRadar, the PoC exploits automate the authentication to targeted SharePoint sites, allowing an attacker to create specific folders, files, and send crafted XML payloads designed to exploit the vulnerability within the SharePoint client API.
While precise details of real-world exploitation of CVE-2024-38094 remain scarce, the imposition of a November 12, 2024 deadline for remediation by Federal Civilian Executive Branch (FCEB) agencies underscores the urgency of combatting this threat. Organizations must address this vulnerability promptly to protect their networks against potential attacks.
This advisory follows a report from Google’s Threat Analysis Group (TAG) regarding a zero-day vulnerability in Samsung’s mobile processors, now patched, which was weaponized as part of a broader exploit chain enabling arbitrary code execution. This vulnerability is registered as CVE-2024-44068, with a CVSS score of 8.1, and linked to privilege escalation through a use-after-free flaw.
As reported, although Samsung has not confirmed exploitation, researchers found that the vulnerability facilitated the execution of arbitrary code targeting a privileged cameraserver process. Tactics such as process renaming for anti-forensic purposes were also noted.
In light of these vulnerabilities, CISA has proposed a set of security requirements aimed at mitigating risks associated with unauthorized access to sensitive U.S. data. Organizations are advised to resolve known vulnerabilities swiftly, with defined timelines for critical and high-severity issues.
Recent investigations by cybersecurity firm Rapid7 revealed that threat actors are actively using CVE-2024-38094 to infiltrate systems, installing web shells and remaining undetected for two weeks. Following initial access, these adversaries exploited persistence techniques and privilege escalation measures to compromise Microsoft Exchange service accounts with domain administrator privileges, employing tools like Impacket and Mimikatz to achieve their objectives.
To safeguard their operations, business owners must recognize the necessity of continuous monitoring and rapid remediation of vulnerabilities. Enhanced identity management, robust security practices, and up-to-date systems are pivotal in defending against evolving cyber threats.
