CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094)

A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2024-38094 (CVSS score: 7.2), has been described as a deserialization vulnerability impacting SharePoint that could result in remote code execution.
"An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server," Microsoft said in an alert for the flaw.
Patches for the security defect were released by Redmond as part of its Patch Tuesday updates for July 2024. The exploitation risk is compounded by the fact that proof-of-concept (PoC) exploits for the flaw are available in the public domain.
"The PoC script [...] automates authentication to a target SharePoint site using NTLM, creates a specific folder and file, and sends a crafted XML payload to trigger the vulnerability in the SharePoint client API," SOCRadar said.
There are currently no reports about how CVE-2024-38094 is exploited in the wild. In light of in-the-wild abuse, Federal Civilian Executive Branch (FCEB) agencies are required to apply the latest fixes by November 12, 2024, to secure their networks.
The development comes as Google's Threat Analysis Group (TAG) revealed that a now-patched zero-day vulnerability in Samsung's mobile processors has been weaponized as part of an exploit chain to achieve arbitrary code execution.
Assigned the CVE identifier CVE-2024-44068 (CVSS score of 8.1), it has been addressed as of October 7, 2024, with the South Korean electronics giant characterizing it as a "use-after-free in the mobile processor [that] leads to privilege escalation."
While Samsung's terse advisory makes no mention of it having been exploited in the wild, Google TAG researchers Xingyu Jin and Clement Lecigne said a zero-day exploit for the shortcoming is used as part of a privilege escalation chain.
"The actor is able to execute arbitrary code in a privileged cameraserver process," the researchers said. "The exploit also renamed the process name itself to '[email protected],' probably for anti-forensic purposes."
The disclosures also follow a new proposal from CISA that puts forth a series of security requirements in order to prevent bulk access to U.S. sensitive personal data or government-related data by countries of concern and covered persons.
In line with the requirements, organizations are expected to remediate known exploited vulnerabilities within 14 calendar days, critical vulnerabilities with no exploit within 15 calendar days, and high-severity vulnerabilities with no exploits within 30 calendar days.
"To ensure and validate that a covered system denies covered persons access to covered data, it is necessary to maintain audit logs of such accesses as well as organizational processes to utilize those logs," the agency said.
"Similarly, it is necessary for an organization to develop identity management processes and systems to establish an understanding of what persons may have access to different data sets."
Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland
Fortinet warns of new critical FortiManager flaw used in zero-day attacks
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner