Eye Security researchers identified a critical vulnerability on July 18th, allowing hackers to exploit certain versions of SharePoint on-premises servers to steal keys for user or service impersonation. This security breach poses a significant threat as compromised servers remain vulnerable even after rebooting or patching. Fortunately, cloud-based SharePoint versions are not affected by this exploit.
The zero-day exploit enables hackers to access sensitive data, extract passwords, and navigate through connected services like Outlook, Teams, and OneDrive. The exploit is believed to stem from a combination of vulnerabilities revealed at the Pwn2Own hacking competition in May, granting unauthorized entry to SharePoint servers.
Microsoft has promptly released patches to safeguard SharePoint 2019 and SharePoint Subscription Edition servers. Efforts are underway to develop a patch for SharePoint 2016, ensuring comprehensive protection for all vulnerable servers.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), the extent and repercussions of these attacks are still under evaluation. Any servers compromised by the exploit should be disconnected from the internet until an official resolution is provided. The exploit has targeted various entities, including US government agencies, universities, energy firms, and an Asian telecom company, as reported by the Washington Post.
