Double-whammy of Microsoft SharePoint vulnerabilities mean all users must take immediate action

The third Tuesday of the month has been and gone, which means that Microsoft has issued its monthly round-up of vulnerability fixes. Including a double-whammy of Microsoft SharePoint vulnerabilities, as I explain in detail below.

It also means that time is now of the essence to mitigate these vulnerabilities. Not for nothing is yesterday known as Exploit Wednesday, although that prefix could be attached to any day of the week from now forward.

This is made particularly evident with one of the warnings that has been issued for Microsoft SharePoint users and relates to a vulnerability that was patched last year. But more of that in a moment. First, let’s look at the latest vulnerability that needs your urgent attention.

Related reading: Why do we still have Exploit Wednesday?

Microsoft SharePoint vulnerability number 1

CVE-2024-21426 is a Remote Code Execution (RCE) vulnerability within Microsoft SharePoint Server which comes complete with high-rated 7.8 Common Vulnerability Scoring System (CVSS) score.

“This vulnerability enables an attacker to execute arbitrary code on the affected system through a malicious file sent to the user, requiring the latter’s cooperation to open it,” says Mike Walters, President and Co-Founder of Action1, a vendor of risk-based patch management software.

However, despite being classified as a local attack vector vulnerability, meaning the attacker needs local system access, Walters warns that “the potential for remote code execution exists if the user is persuaded to open the malicious file”.

He adds: “An attacker leveraging this vulnerability could achieve full system control, enabling file manipulation and possibly causing significant downtime.”

The nature of this vulnerability demands the attention of all Microsoft SharePoint users, especially those on version 2016 and later, who should apply the mitigating patch as a matter of urgency.

Microsoft SharePoint vulnerability number 2

That CVE-2023-24955 is also in the news this week only goes to illustrate how often such mitigations are overlooked. Although patched in May 2023, it’s another SharePoint vulnerability that needs to be immediately addressed.

CVE-2023-24955 first came to light during the March 2023 Pwn2Own hacking competition, when it was used alongside another in a zero-day exploit chain. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies in the US until 16 April to ensure their systems are fully patched against it.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said when adding CVE-2023-24955 to the Known Exploited Vulnerabilities (KEV) listing that starts the patch countdown clock ticking.

Ray Kelly, a fellow at the Synopsys Software Integrity Group, says: “This CISA advisory highlights the importance of patching and updating your software regularly, especially for private and public-facing servers that handle sensitive data.

“These chained vulnerabilities are very serious because they allow attackers to circumvent authentication and execute code remotely on vulnerable servers.

“The fact that CISA is now warning us about active exploitation indicates that many organisations have failed to apply the necessary security updates in a timely manner.”