"CISA: Second SharePoint Flaw Disclosed at Pwn2Own Exploited in Attacks"

CISA recently added a second SharePoint flaw, demonstrated last year at a Pwn2Own hacking competition, to its Known Exploited Vulnerabilities (KEV) list.  The Star Labs team demonstrated the flaw, tracked as CVE-2023-24955, in March 2023 at Pwn2Own Vancouver alongside CVE-2023-29357.   This two-bug exploit chain, which allows unauthenticated remote code execution on SharePoint servers with elevated privileges, earned the Star Labs team $100,000 at Pwn2Own. Microsoft patched CVE-2023-24955 and CVE-2023-29357 with SharePoint updates released in May and June 2023, respectively.  Less than one month later, CISA added CVE-2023-29357 to its KEV catalog.  The second vulnerability that is part of the exploit chain, CVE-2023-24955, has also been added to the list.  The latest entry, CVE-2023-24955, must be addressed by government organizations by April 16.

SecurityWeek reports: "CISA: Second SharePoint Flaw Disclosed at Pwn2Own Exploited in Attacks"

Submitted by Adam Ekwall on