Attackers abuse Sharepoint security leak for code smuggling

The US IT security authority CISA warns of attacks on a vulnerability in Microsoft's Sharepoint server. Updates to close the abused vulnerability are available, which IT managers should install now at the latest.

CISA writes in a press release that it has included the vulnerability CVE-2024-38094 in the Known Exploited Vulnerabilities catalog. As usual, the authority – does not discuss the nature of the attacks that have been observed on the vulnerability or the extent to which they occur and how IT managers can recognize attacks on them –.

Attacks on the Sharepoint deserialization vulnerability

The Sharepoint vulnerability is an unspecified "deserialization of untrusted data", as Microsoft writes in its own security announcement. "Authenticated attackers with site owner privileges can abuse the vulnerability to inject arbitrary code and execute this code in the context of the Sharepoint server," write the Redmond developers, assigning the leak a high risk with a CVSS score of 7.2. "Abuse is more likely" is the assessment in Microsoft's announcement.

Microsoft Sharepoint Server Subscription Edition, Microsoft Sharepoint Server 2019 and Microsoft Sharepoint Enterprise Server 2016 are affected, Microsoft states in the advisory. The CVE entry lists the build numbers affected in more detail: Sharepoint Enterprise Server 2016 is vulnerable from version 16.0.0 to version 16.0.5456.1000, Sharepoint Server 2019 from 16.0.0 to version 16.0.10412.20001 and the Subscription Edition from 16.0.0 to version 16.0.17328.20424, with the latter closing the gaps.

Microsoft had provided the vulnerability in Sharepoint on July Patchday 2024 with updates that correct the problem. The other updates distributed on the patchday also closed an already attacked vulnerability in Hyper-V under Windows 11 and Server 2022.

(dmk)