A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2024-38094 (CVSS score: 7.2), has been described as a deserialization vulnerability impacting SharePoint that could result in remote code execution.
“An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server,” Microsoft said in an alert for the flaw.
Patches for the security defect were released by Redmond as part of its Patch Tuesday updates for July 2024. The exploitation risk is compounded by the fact that proof-of-concept (PoC) exploits for the flaw are available in the public domain.
“The PoC script […] automates authentication to a target SharePoint site using NTLM, creates a specific folder and file, and sends a crafted XML payload to trigger the vulnerability in the SharePoint client API,” SOCRadar said.
There are currently no reports about how CVE-2024-38094 is exploited in the wild. In light of in-the-wild abuse, Federal Civilian Executive Branch (FCEB) agencies are required to apply the latest fixes by November 12, 2024, to secure their networks.
The development comes as Google’s Threat Analysis Group (TAG) revealed that a now-patched zero-day vulnerability in Samsung’s mobile processors has been weaponized as part of an exploit chain to achieve arbitrary code execution.
Assigned the CVE identifier CVE-2024-44068 (CVSS score of 8.1), it has been addressed as of October 7, 2024, with the South Korean electronics giant characterizing it as a “use-after-free in the mobile processor [that] leads to privilege escalation.”
While Samsung’s terse advisory makes no mention of it having been exploited in the wild, Google TAG researchers Xingyu Jin and Clement Lecigne said a zero-day exploit for the shortcoming is used as part of a privilege escalation chain.
“The actor is able to execute arbitrary code in a privileged cameraserver process,” the researchers said. “The exploit also renamed the process name itself to ‘[email protected],’ probably for anti-forensic purposes.”
The disclosures also follow a new proposal from CISA that puts forth a series of security requirements in order to prevent bulk access to U.S. sensitive personal data or government-related data by countries of concern and covered persons.
In line with the requirements, organizations are expected to remediate known exploited vulnerabilities within 14 calendar days, critical vulnerabilities with no exploit within 15 calendar days, and high-severity vulnerabilities with no exploits within 30 calendar days.
“To ensure and validate that a covered system denies covered persons access to covered data, it is necessary to maintain audit logs of such accesses as well as organizational processes to utilize those logs,” the agency said.
“Similarly, it is necessary for an organization to develop identity management processes and systems to establish an understanding of what persons may have access to different data sets.”