The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a safety flaw impacting the Microsoft Sharepoint Server to its Identified Exploited Vulnerabilities (KEV) catalog primarily based on proof of energetic exploitation within the wild.
The vulnerability, tracked as CVE-2023-24955 (CVSS rating: 7.2), is a important distant code execution flaw that permits an authenticated attacker with Web site Proprietor privileges to execute arbitrary code.
“In a network-based assault, an authenticated attacker as a Web site Proprietor might execute code remotely on the SharePoint Server,” Microsoft mentioned in an advisory. The flaw was addressed by Microsoft as a part of its Patch Tuesday updates for Might 2023.
The event comes greater than two months after CISA added CVE-2023-29357, a privilege escalation flaw in SharePoint Server, to its KEV catalog.
It is price stating that an exploit chain combining CVE-2023-29357 and CVE-2023-24955 was demonstrated by StarLabs SG on the Pwn2Own Vancouver hacking contest final yr, incomes the researchers a $100,000 prize.
That mentioned, there may be at present no info on the assaults weaponizing these two vulnerabilities and the menace actors that could be exploiting them.
Microsoft beforehand instructed The Hacker Information that “clients who’ve enabled computerized updates and allow ‘Obtain updates for different Microsoft merchandise’ choice inside their Home windows Replace settings are already protected.”
Federal Civilian Government Department (FCEB) businesses are required to use the fixes by April 16, 2024, to safe their networks in opposition to energetic threats.