The U.S. Cybersecurity and Infrastructure Security Agency added a Microsoft SharePoint remote code execution vulnerability to its Known Exploited Vulnerabilities catalog on Wednesday, confirming that threat actors are actively targeting the flaw in real-world attacks. The vulnerability, tracked as CVE-2024-38094, carries a CVSS score of 7.2 and allows authenticated attackers to execute arbitrary code on affected SharePoint servers.
Microsoft released patches for CVE-2024-38094 in its May 2024 Patch Tuesday security update, more than seven months before CISA's exploitation warning. The vulnerability affects multiple versions of Microsoft SharePoint Server, including SharePoint Server 2019 and SharePoint Server Subscription Edition. Organizations that have not applied the May updates remain vulnerable to attack.
The technical nature of the vulnerability allows authenticated users with specific permissions to trigger remote code execution on SharePoint servers. While authentication is required, the flaw presents a significant risk in environments where attackers have already gained initial access through phishing, credential theft, or other means. Successful exploitation could allow attackers to gain full control of SharePoint servers and access sensitive corporate data.
CISA's addition of CVE-2024-38094 to the KEV catalog indicates that federal agencies have observed active exploitation attempts in the wild. This designation requires all Federal Civilian Executive Branch agencies to patch vulnerable systems by January 22, 2025, under Binding Operational Directive 22-01. The agency's warning serves as a strong signal to private sector organizations that the vulnerability poses an immediate threat.
Organizations running Microsoft SharePoint should immediately verify that May 2024 security updates have been applied to all SharePoint servers. Administrators should review access logs for suspicious authentication attempts or unusual code execution patterns. Security teams should also implement network segmentation to limit potential lateral movement if SharePoint servers are compromised, and ensure that SharePoint accounts follow least-privilege principles to reduce the attack surface for authenticated exploitation.
Source: https://www.securityweek.com/cisco-confirms-in-the-wild-exploitation-of-unified-cm-vulnerability/


