Microsoft said exploitation was 'less likely' ... but CISA just added SharePoint RCE to KEV list
Summary
CISA has added a remote code execution (RCE) vulnerability in Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, despite Microsoft initially assessing exploitation as "less likely." The flaw allows attackers with a valid SharePoint account to execute code on vulnerable on-premises servers. All federal agencies are mandated to address KEV catalog vulnerabilities.
IFF Assessment
The inclusion of a SharePoint RCE vulnerability in CISA's KEV list indicates active exploitation, posing a significant and immediate risk to organizations running vulnerable on-prem servers.
Severity
This high score reflects a critical remote code execution vulnerability in SharePoint Server that allows attackers with low privileges (a valid account) to achieve full system compromise on on-prem servers, leading to high impact on confidentiality, integrity, and availability.
Defender Context
Defenders must immediately identify and patch all vulnerable on-premises Microsoft SharePoint Server instances, as CISA's inclusion of this RCE flaw in its KEV list signifies active exploitation. Organizations should prioritize patching and monitor for signs of compromise, as an attacker only needs a valid account to achieve full system control, emphasizing the critical need for robust access controls and least privilege principles.