CISA Orders Federal Agencies to Patch SharePoint Vulnerabilities, Adds to Known Exploits List
Critical SharePoint Flaws Actively Exploited: CISA Issues Urgent Patching Directive
A serious cybersecurity alert has been issued for organizations using Microsoft SharePoint Server. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added two critical SharePoint vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling that threat actors are actively exploiting these flaws in the wild.
This directive mandates that all Federal Civilian Executive Branch (FCEB) agencies patch their systems immediately. However, this warning extends far beyond government entities. Any organization utilizing on-premise SharePoint Server environments is at significant risk and should take immediate action to mitigate this threat.
The two vulnerabilities in question can be chained together to achieve a devastating attack, allowing an unauthenticated attacker to gain administrator privileges and execute malicious code remotely.
Understanding the Critical Vulnerabilities
The two flaws at the heart of this alert are:
CVE-2023-29357 (Privilege Escalation Vulnerability): This is a critical flaw with a CVSS score of 9.8 out of 10. It allows an attacker to bypass authentication processes and gain the privileges of an administrator. Crucially, this exploit requires no user interaction and can be achieved without the attacker needing any prior credentials. It essentially leaves the front door to your server’s administrative controls wide open.
CVE-2023-24955 (Remote Code Execution Vulnerability): This vulnerability allows an authenticated attacker—who already has access to the SharePoint site—to execute arbitrary code on the server. While dangerous on its own, its true power is unleashed when combined with the first flaw.
The Attack Chain: A Recipe for Disaster
The primary danger lies in how these two vulnerabilities work in tandem. Cybercriminals are using a two-step process to take complete control of vulnerable SharePoint servers:
- Step 1: The attacker first exploits CVE-2023-29357 to elevate their privileges to that of a system administrator.
- Step 2: Now armed with administrative access, the attacker leverages CVE-2023-24955 to execute remote code. This allows them to deploy ransomware, install backdoors for persistent access, steal sensitive data, or launch further attacks within the network.
Because the initial entry point requires no authentication, any internet-facing, unpatched SharePoint Server is a prime target. This combination of flaws represents a complete system takeover scenario.
Why CISA’s KEV Catalog Matters to You
CISA’s KEV catalog is not just a list of potential threats; it is a definitive resource of vulnerabilities that are being actively and repeatedly used in real-world cyberattacks. When a vulnerability is added to this list, it’s a clear signal for all organizations to move from routine patching to emergency response.
While federal agencies are bound by a strict deadline to apply these patches, private sector companies and other organizations should treat this directive with the same level of urgency. The inclusion of these SharePoint flaws confirms that cybercriminals have developed a reliable method for exploitation and are actively searching for unpatched systems to compromise.
Actionable Security Steps to Protect Your Organization
If your organization uses Microsoft SharePoint Server 2016, 2019, or Subscription Edition, immediate action is required to prevent a security breach.
- Patch Immediately: This is the most critical step. Apply the security updates released by Microsoft in May and June 2023 that address these vulnerabilities. Do not delay this process.
- Verify Successful Installation: After deploying the patches, verify that they have been installed correctly across all relevant SharePoint servers in your farm. A failed or incomplete patch deployment leaves you just as vulnerable.
- Hunt for Signs of Compromise: Since these vulnerabilities are being actively exploited, it is crucial to investigate for any signs of a prior breach. Review server logs for unusual activity, unexpected administrative account creations, or suspicious outbound network traffic.
- Review Access Controls: Ensure that access to your SharePoint Server is restricted. Limit network access to the server itself and enforce the principle of least privilege for all user accounts.
- Stay Informed: Regularly monitor security advisories from both Microsoft and government agencies like CISA to stay ahead of emerging threats.
The threat posed by these chained vulnerabilities is severe. Failure to act can result in significant data loss, financial damage, and reputational harm. Protect your digital assets by ensuring your SharePoint environments are patched and secure without delay.
Source: https://securityaffairs.com/180301/hacking/u-s-cisa-adds-two-microsoft-sharepoint-flaws-to-its-known-exploited-vulnerabilities-catalog.html
