Attackers Exploiting CVE-2024-38094 in SharePoint

Attackers are exploiting a Microsoft SharePoint vulnerability that the company disclosed–and patched–in July. The vulnerability is rated important as it can lead to remote code execution, but an attacker would need to have relatively high privileges already in order to exploit it. 

CVE: CVE-2024-38094 

Why It Matters: The bug affects SharePoint Server Subscription Edition, SharePoint Server 2019 and SharePoint Enterprise Server 2016 and an attacker can exploit it to gain remote code execution. SharePoint is a hugely popular product in enterprises and CISA is warning federal civilian agencies and other organizations that the bug is being exploited in the wild. SharePoint often houses valuable internal corporate information and resources and would be a valuable target for many attackers. 

Key Details: 

• CVE-2024-38094 is a deserialization flaw in SharePoint that can allow an attacker to expand his privileges and eventually execute arbitrary code. “An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server,” the advisory says.

• Microsoft released a fix for the vulnerability in July and the time the company said that the bug had not been disclosed but that exploitation was likely

• CISA has added the bug to its Known Exploited Vulnerabilities catalog

• It’s unknown who has exploited the bug or in what kind of operation

What to Do Now: Apply the patch that Microsoft released in July.