The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three Microsoft SharePoint vulnerabilities to its Known Exploited Vulnerabilities catalog, warning that attackers are actively exploiting the flaws in the wild. The vulnerabilities — CVE-2024-38094, CVE-2024-38117, and CVE-2024-38118 — affect supported versions of SharePoint Server and SharePoint Foundation. CISA's move signals that these bugs pose a significant risk to federal networks and critical infrastructure.
Vulnerabilities and impact
The three flaws include a remote code execution vulnerability (CVE-2024-38094) that allows an authenticated attacker to run arbitrary code in the context of the SharePoint farm. The other two are elevation-of-privilege bugs: CVE-2024-38117 enables an attacker to gain elevated access, while CVE-2024-38118 could let an authenticated user escape their restricted SharePoint environment. Microsoft patched all three in its July 2024 security update, but CISA's alert confirms that threat actors are now actively exploiting them against unpatched systems.
Response and mitigation
CISA has ordered all U.S. federal civilian agencies to apply the available patches by September 3, 2024, under the Binding Operational Directive 22-01. Private organizations are strongly urged to prioritize patching these SharePoint flaws as well. Given SharePoint's widespread use in enterprise environments for document management and collaboration, unpatched instances present a broad attack surface. Security teams should immediately check for the July 2024 updates and ensure no systems remain vulnerable, as exploitation activity is already underway.