🔴 Critical | Source: The Register — Security
A remote code execution vulnerability in Microsoft SharePoint on-premises servers has been added to CISA’s Known Exploited Vulnerabilities catalogue, meaning it is actively being used in real-world attacks. Exploitation requires only a valid SharePoint account, making the barrier to attack unusually low. Microsoft had previously assessed exploitation as ’less likely’, but CISA’s addition signals that assessment was incorrect and patching is now urgent.
Security Architect’s Take: Audit your estate immediately for unpatched on-premises SharePoint deployments and apply Microsoft’s available patch without delay — CISA’s KEV listing means federal agencies have a binding deadline, but the low authentication requirement makes this a priority for all organisations running on-prem SharePoint. If patching cannot be done immediately, consider restricting SharePoint access to known IP ranges or VPN and reviewing authentication logs for anomalous account activity.
Original advisory: Microsoft said exploitation was ’less likely’ … but CISA just added SharePoint RCE to KEV list