CVE-2024-30044: SharePoint Server RCE Zero-Day Patched — Patch Now

May 2024 Patch Tuesday Overview

Microsoft has released its security update for May 2024, addressing a staggering 161 vulnerabilities. This release marks the second-largest Patch Tuesday in the company’s history by CVE count, according to SecurityWeek. Among the fixes are three Zero-Day vulnerabilities that have been confirmed as exploited in the wild, emphasizing the urgency for system administrators to prioritize these updates. The release covers a wide array of products, including Windows, Office, SharePoint Server, and the .NET framework.

Technical Analysis: The SharePoint RCE (CVE-2024-30044)

The most significant threat in this cycle is CVE-2024-30044, a critical RCE vulnerability in Microsoft SharePoint Server. This flaw carries a CVSS score of 8.8 and is actively being targeted by threat actors. The vulnerability allows an authenticated attacker with Site Owner permissions (or higher) to upload a specially crafted file to a SharePoint Server and then trigger the execution of code on the underlying server.

While the requirement for authentication might suggest a lower risk, the reality for a modern SOC is that compromised credentials or malicious insiders frequently bypass the initial barrier. Once an attacker has reached this stage, achieving RCE on a SharePoint instance often leads to a massive data breach or Lateral Movement within the corporate network. Because SharePoint serves as a central repository for sensitive documents, the impact of such an exploit is severe.

How to detect CVE-2024-30044 exploit

Defenders should monitor SharePoint logs for unusual file uploads, particularly those originating from user accounts that do not typically manage site configuration. Additionally, EDR solutions should be configured to flag suspicious child processes spawned by the SharePoint worker process (w3wp.exe). Integration with a SIEM can help correlate these process executions with authentication anomalies to identify potential exploitation attempts in real-time.

Analysis of Additional Zero-Days: CVE-2024-30051 and CVE-2024-30040

Beyond SharePoint, Microsoft addressed CVE-2024-30051, a flaw in the Windows Desktop Window Manager (DWM) Core Library. This is a Privilege Escalation vulnerability that allows an attacker to gain SYSTEM-level privileges. Exploitation of this flaw has been observed in conjunction with various malware families, as it provides a reliable method for attackers to gain full control over a compromised workstation after an initial Phishing attack.

Another exploited flaw, CVE-2024-30040, involves a security feature bypass in the Windows MSHTML platform. By convincing a user to open a malicious file, attackers can bypass the Security Feature Bypass (MOTW - Mark of the Web) protections, leading to further compromise without the usual security warnings being presented to the user.

Remediation and Microsoft SharePoint Server RCE Mitigation

The primary recommendation for all organizations is to apply the May 2024 cumulative updates immediately. Given the scale of this update, security teams should focus on a tiered rollout, starting with internet-facing SharePoint servers and high-risk workstations.

Microsoft SharePoint Server RCE mitigation steps

For environments where immediate patching is impossible, defenders should evaluate the following steps:

• Restrict the ability of users to create new SharePoint sites or upload high-risk file types where not strictly necessary for business operations.
• Audit accounts with ‘Site Owner’ privileges to ensure the principle of least privilege is strictly enforced.
• Utilize MITRE ATT&CK framework mapping to verify that current detection rules cover web-shell activity and unauthorized process execution on SharePoint hosts.

Failure to address these vulnerabilities leaves the door open for sophisticated threat actors to establish C2 channels and initiate Ransomware deployment across the enterprise infrastructure.