Attack Chain

1. An unauthenticated attacker identifies a vulnerable, internet-facing SharePoint server.
2. The attacker crafts a malicious HTTP request targeting the RCE vulnerability.
3. The SharePoint server processes the request without proper authentication or input validation.
4. The attacker injects a payload, such as a web shell, into the SharePoint server’s process.
5. The injected payload executes arbitrary code within the context of the SharePoint application pool account.
6. The attacker leverages the web shell for remote access and reconnaissance within the SharePoint environment.
7. The attacker attempts to escalate privileges within the compromised server or the Active Directory domain.
8. The attacker moves laterally within the network, potentially targeting sensitive data or deploying ransomware.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable Microsoft SharePoint servers. The impact includes potential data breaches, system compromise, and lateral movement within the network. Given the widespread use of SharePoint in enterprise environments, a successful attack could lead to significant disruption and financial losses, especially if attackers deploy ransomware or exfiltrate sensitive information. The specific number of affected organizations is currently unknown, but CERT-EU emphasizes the critical need for immediate patching.

Recommendation

• Immediately patch all Microsoft SharePoint servers, prioritizing internet-facing assets, as recommended by CERT-EU.
• Implement the provided Sigma rule (SharePoint_Suspicious_Process) to detect suspicious process creation by the SharePoint application pool account.
• Monitor web server logs for unusual HTTP requests targeting SharePoint servers that could indicate exploitation attempts (refer to the SharePoint_Unauth_RCE Sigma rule).
• Review and harden SharePoint server configurations to minimize the attack surface.