"CISA: Second SharePoint Flaw Disclosed at Pwn2Own Exploited in Attacks"
"CISA: Second SharePoint Flaw Disclosed at Pwn2Own Exploited in Attacks"
CISA recently added a second SharePoint flaw, demonstrated last year at a Pwn2Own hacking competition, to its Known Exploited Vulnerabilities (KEV) list. The Star Labs team demonstrated the flaw, tracked as CVE-2023-24955, in March 2023 at Pwn2Own Vancouver alongside CVE-2023-29357. This two-bug exploit chain, which allows unauthenticated remote code execution on SharePoint servers with elevated privileges, earned the Star Labs team $100,000 at Pwn2Own. Microsoft patched CVE-2023-24955 and CVE-2023-29357 with SharePoint updates released in May and June 2023, respectively.