CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini March 27, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the 2023 Pwn2Own to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  the  Microsoft SharePoint Server Code Injection Vulnerability to its .

Microsoft addressed the remote code execution flaw in SharePoint Server, tracked as CVE-2023-24955 (CVSS Score 7.2), in May 2023. The Star Labs team demonstrated the vulnerability at the Pwn2Own Vancouver 2023 hacking competition. The vulnerability was part of an exploit chain that allowed the white hat hackers to obtain code execution on the target server.

“In a network-based attack, an authenticated attacker as a Site Owner could execute code remotely on the SharePoint Server.” reads the published by Microsoft.

According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the  and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by April 16, 2024.

This week CISA also added the following vulnerabilities to its .

  •  Fortinet FortiClient EMS SQL Injection Vulnerability
  •  Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
  •  Nice Linear eMerge E3-Series OS Command Injection Vulnerability

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – Hacking, CISA)



you might also like

leave a comment