Fortinet has confirmed details of a critical security flaw impacting FortiManager that has come under active exploitation in the wild.
Tracked as CVE-2024-47575 (CVSS score: 9.8), the vulnerability is also known as FortiJump and is rooted in the FortiGate to FortiManager (FGFM) protocol.
"A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may

Vulnerability / Network Security

Fortinet has confirmed details of a critical security flaw impacting FortiManager that has come under active exploitation in the wild.

Tracked as CVE-2024-47575 (CVSS score: 9.8), the vulnerability is also known as FortiJump and is rooted in the FortiGate to FortiManager (FGFM) protocol.

"A missing authentication for critical function vulnerability \[CWE-306\] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests," the company said in a Wednesday advisory.

The shortcoming impacts FortiManager versions 7.x, 6.x, FortiManager Cloud 7.x, and 6.x. It also affects old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E that have at least one interface with fgfm service enabled and the below configuration on -

config system global
set fmg-status enable
end

Fortinet has also provided three workarounds for the flaw depending on the current version of FortiManager installed -

*   FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above: Prevent unknown devices to attempt to register
*   FortiManager versions 7.2.0 and above: Add local-in policies to allow-list the IP addresses of FortiGates that are allowed to connect
*   FortiManager versions 7.2.2 and above, 7.4.0 and above, 7.6.0 and above: Use a custom certificate

According to runZero, a successful exploitation requires the attackers to be in possession of a valid Fortinet device certificate, although it noted that such certificates could be obtained from an existing Fortinet device and reused.

"The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices," the company said.

It, however, emphasized that the vulnerability has been not weaponized to deploy malware or backdoors on compromised FortiManager systems, nor is there any evidence of any modified databases or connections.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the defect to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by November 13, 2024.

Fortinet also shared the below statement with The Hacker News -

_After identifying this vulnerability (CVE-2024-47575), Fortinet promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors. We also have published a corresponding public advisory (FG-IR-24-423) reiterating mitigation guidance, including a workaround and patch updates. We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates. We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Fortinet Warns of Critical Vulnerability in FortiManager Under Active Exploitation

The Russian-language malware primarily enlists computers to mine Monero, but theoretically it can do worse.

Source: Artimages via Alamy Stock Photo

An 8-year-old modular botnet is still kicking, spreading a cryptojacker and Web shell on machines spread across multiple continents.

"Prometei" was first discovered in 2020, but later evidence suggested that it's been in the wild since at least 2016. In those intervening years it spread to more than 10,000 computers globally, in countries as diverse as Brazil, Indonesia, Turkey, and Germany, whose Federal Office for Information Security categorizes it as a medium-impact threat.

"Prometei's reach is global due to its focus on widely used software vulnerabilities," explains Callie Guenther, senior manager of cyber-threat research at Critical Start. "The botnet spreads through weak configurations and unpatched systems, targeting regions with inadequate cybersecurity practices. Botnets like Prometei typically do not discriminate by region but seek maximum impact by exploiting systemic weaknesses. \[In this case\], organizations using unpatched or poorly configured Exchange servers are particularly at risk."

Trend Micro details what a Prometei attack looks like: clunky in its initial infection but stealthy thereafter, capable of exploiting vulnerabilities in a variety of different services and systems, and focused on cryptojacking but capable of more.

**Loud Entry Into Unloved Systems**

Don't expect an initial Prometei infection to be terribly sophisticated.

The case Trend Micro observed began with a number of failed network login attempts from two IP addresses appearing to come from Cape Town, South Africa, which aligned closely with known Prometei infrastructure.

After its first successful login into a machine, the malware went to work testing out a variety of outdated vulnerabilities that might still be lingering in its target's environment. For example, it uses the half-decade old "BlueKeep" bug in the Remote Desktop Protocol (RDP) — rated a "critical" 9.8 out of 10 in the Common Vulnerability Scoring System — to try and achieve remote code execution (RCE). It uses the even older EternalBlue vulnerability to propagate via Server Message Block (SMB). On Windows systems, it tries the 3-year-old ProxyLogon arbitrary file write vulnerabilities CVE-2021-27065 and CVE-2021-26858, which have "high" 7.8 CVSS ratings.

Exploiting such old vulnerabilities could be read as lazy. In another light, it's an effective approach to weeding out better-equipped systems belonging to more active organizations.

"Prime targets are those systems that have not been or cannot be patched for some reason, which translates to them being either unmonitored or neglected from normal security processes," Mayuresh Dani, manager of security research at Qualys, points out. "The malware authors want to go after easy pickings, and in today's connected world, I consider this intelligent, as if they know that their targets will be plagued by multiple security issues."

**Prometei's Fire**

Once Prometei gets to where it wants to go, it has some neat tricks for achieving its ends. It uses a domain generation algorithm (DGA) to harden its command-and-control (C2) infrastructure, enabling it to continue operating even if victims try blocking one or more of its domains. It manipulates targeted systems to allow its traffic through firewalls, and runs itself automatically upon system reboots.

One particularly useful Prometei command evokes the WDigest authentication protocol, which stores passwords in plaintext in memory. WDigest is typically disabled in modern Windows systems, so Prometei forces those plaintext passwords, which it then dumps into a dynamic link library (DLL). Then, another Prometei command configures Windows Defender to ignore that particular DLL, allowing those passwords to be exfiltrated without raising any red flags.

The most obvious purpose of a Prometei infection appears to be cryptojacking — using infected machines to help mine the ultra-anonymous Monero cryptocurrency without their owners' knowing it. Beyond that, though, it downloads and configures an Apache Web server that serves as a persistent Web shell. The Web shell allows attackers to upload more malicious files and execute arbitrary commands.

As Stephen Hilt, senior threat researcher at Trend Micro, points out, botnet infections are often associated with other kinds of attacks as well.

"I always look at the cryptomining groups being a canary in the coal mine — it's an indicator that there's probably more going on in your system," he says. "If you look at our 2021 blog, there was LemonDuck, a ransomware group, and \[Prometei\] all within the same machines."

**Russia Links**

There is one specific part of the globe that Prometei does not touch.

The botnet's Tor-based C2 server is made to specifically avoid certain exit nodes in some former Soviet countries. To further ensure the safety of Russian-language targets, it possesses a credential-stealing component that deliberately avoids affecting any accounts labeled "Guest" or "Other user" in Russian.

Older variants of the malware contained bits of Russian-language settings and language code, and the name "Prometei" is a translation of "Prometheus" in various Slavic languages. In the famous myth, Zeus programs an eagle to attack Prometheus' liver every day, only for the liver to persist through reboots each night.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'Prometei' Botnet Spreads Its Cryptojacker Worldwide

A hacker leaked the personal data of 180,000 Esport North Africa users just before the tournament. While no…

A hacker leaked the personal data of 180,000 Esport North Africa users just before the tournament. While no financial details were exposed, users are advised to change passwords and stay alert for phishing attacks.

The hacker, known as “Shooked,” leaked the personal details of over 180,000 Esport North Africa (ESNA) users just one day before the tournament is set to begin in Morocco. The 3 GB data dump, which Shooked claims is the “full database,” was released on **Breach Forums** on the morning of Wednesday, October 23, 2024. The ESNA tournament is scheduled to start on Thursday, October 24th.

Screenshot from the targeted site

For context, Esport North Africa (ESNA – Electronic Sports North Africa) is a platform designed to promote competitive gaming and esports development across the North African region. It organizes tournaments in popular games such as FC25, Free Fire, Street Fighter 6, and other competitive titles, providing opportunities for gamers to showcase their skills.

The leaked data was analyzed by the Hackread.com research team and contains over 9 million lines. However, after the removal of duplicate entries, the total number of unique user records stands at 180,000. This data includes the following information:

*   **User ID**
*   **Country**
*   **Usernames**
*   **IP addresses**
*   **Timestamp**
*   **Session ID**
*   **WordPress URLs**
*   **Email addresses (179,224)**

and other details…

Hacker on Breach Forum and sample data (Screenshot: Hackread.com)

While the leaked data does not include passwords or financial details, the breach appears legitimate. However, final confirmation is pending a response from the organization, which Hackread.com has reached out to for comment.

Cyberattacks on gaming companies and gamers are not new, as they are often lucrative targets for criminals. Last year, Akamai’s research revealed how hackers used **the Dark Frost Botnet** to target gaming companies and players, compromising devices to execute DDoS attacks.

If you have an account on ESNA (ESNA.GG), it’s recommended to change your password as a precaution. Additionally, be cautious of potential phishing emails from cybercriminals posing as Esport North Africa representatives, attempting to **exploit the breach**.

**RELATED ARTICLES**

1.  **Online gaming and protection against cyber attacks**
2.  **RapperBot malware hits gaming servers with DDoS attacks**
3.  **Gaming Giant Activision Employees Hit by SMS Phishing Attack**
4.  **Gaming controllers manufacturer exposed 1.1M customer records**
5.  **How data collected in gaming can be used to breach user privacy**

Hackers Leak 180,000 Esport North Africa User Records a Day Before Tournament Begins

The Snyk gradle plugin is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-qqqw-gm93-qf6m: OS Command Injection in Snyk gradle plugin

The Snyk php plugin is vulnerable to Code Injection when scanning an untrusted PHP project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.

GHSA-69f9-h8f9-7vjf: OS Command Injection in Snyk php plugin

The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.

Source: MAHATHIR MOHD YASIN via Shutterstock

North Korea's infamous Lazarus Group is using a well-designed fake game website, a now-patched Chrome zero-day bug, professional LinkedIn accounts, AI-generated images, and other tricks to try and steal from cryptocurrency users worldwide.

The group appears to have launched the elaborate campaign in February and has since used multiple accounts on X and tricked influential figures in the cryptocurrency space to promote their malware-infected crypto game site.

**Elaborate Campaign**

"Over the years, we have uncovered many \[Lazarus\] attacks on the cryptocurrency industry, and one thing is certain: these attacks are not going away," said researchers at Kaspersky, after discovering the latest campaign while investigating a recent malware infection. "Lazarus has already successfully started using generative AI, and we predict that they will come up with even more elaborate attacks using it," the security vendor noted.

The state-sponsored Lazarus group may not quite be a recognizable name yet, but it is easily among the most prolific and dangerous cyber threat actors in operation. Since making headlines with an attack on Sony Pictures back in 2014, Lazarus — and subgroups such as Andariel and Bluenoroff — have figured in countless notorious security incidents. These have included the WannaCry ransomware outbreak, the $81 million heist at Bank of Bangladesh, and attempts to steal COVID-vaccine-related secrets from major pharmaceutical companies during the height of the pandemic.

Analysts believe that many of the group's financially motivated attacks, including those involving ransomware, card-skimming, and cryptocurrency users, are really attempts to generate revenue for the money-strapped North Korean government's missile program.

In the latest campaign the group appears to have refined some of the social engineering tricks employed in past campaigns. Central to the new scam is detankzone dot-com, a professionally designed product page that invites visitors to download an NFT-based multiplayer online tank game. Kaspersky researchers found the game to be well designed and functional, but only because Lazarus actors had stolen the source code of a legitimate game to build it.

**A Chrome Zero-Day and a Second Bug**

Kaspersky found the website to contain exploit code for two Chrome vulnerabilities. One of them, tracked as CVE-2024-4947, was a previously unknown zero-day bug in Chrome's V8 browser engine. It gave the attackers a way to execute arbitrary code inside a browser sandbox via a specially crafted HTML page. Google addressed the vulnerability in May after Kaspersky reported the flaw to the company.

The other Chrome vulnerability that Kaspersky observed in the latest Lazarus Group exploit is that it does not appear to have a formal identifier. It gave the attackers a way to escape the Chrome V8 sandbox entirely and gain full access to the system. The threat actor used that access to deploy shellcode for collecting information on the compromised system before deciding whether to deploy further malicious payloads on the compromised system, including a backdoor called Manuscrypt.

What makes the campaign noteworthy is the effort that Lazarus Group actors appear to have put into its social engineering angle. "They focused on building a sense of trust to maximize the campaign's effectiveness, designing details to make the promotional activities appear as genuine as possible," Kaspersky researchers Boris Larin and Vasily Berdnikov wrote. They used multiple fake accounts to promote their site via X and LinkedIn along AI-generated content and images to create an illusion of authenticity around their fake game site.

"The attackers also attempted to engage cryptocurrency influencers for further promotion, leveraging their social media presence not only to distribute the threat but also to target their crypto accounts directly," Larin and Berdnikov wrote.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Lazarus Group Exploits Chrome Zero-Day in Latest Campaign

On Monday, October 21, updates for the critical Remote Code Execution – VMware vCenter (CVE-2024-38812) vulnerability were released again. Wait, haven’t fixes for this vulnerability been available since September 17th? They were, but it was not enough. “VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not completely address […]

**On Monday, October 21, updates for the critical Remote Code Execution – VMware vCenter (****CVE-2024-38812****) vulnerability** **were released again****.** Wait, haven’t fixes for this vulnerability been available since September 17th? They were, but it was not enough.

_“VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not completely address CVE-2024-38812. The patches listed in the_ Response Matrix _below are updated versions that contain additional fixes to fully address CVE-2024-38812.”_

If you are using VMware vCenter, please take note and update it again. Current secure versions of VMware vCenter Server are 7.0 U3t, 8.0 U2e and 8.0 U3d.

Updates are also available for the VMware Cloud Foundation.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

On Monday, October 21, updates for the critical Remote Code Execution – VMware vCenter (CVE-2024-38812) vulnerability were released again

The software development kit will simplify building and testing of CHERI-enabled RISC-V applications.

Source: Mentor58 via Alamy Stock Photo

German processor design company Codasip has donated its latest RISC-V software development kit to chip security consortium CHERI Alliance to help developers add memory safety to chips.

RISC-V is an instruction set architecture (ISA) that allows developers and manufacturers to personalize silicon chips with capabilities to meet their needs, such as for use in smartphones, space technologies, industrial applications, and automotive technologies, to name a few. RISV-V is open and free to license, so anyone can design, manufacture, and sell RISC-V chips and software.

CHERI (Capability Hardware Enhanced RISC Instructions) extends ISA to manage memory access control to prevent common vulnerabilities, such as buffer overflows and memory corruption. The method involves isolating the hardware and software so that adversaries cannot inject attack code into memory. The CHERI Alliance is an industry consortium focused on promoting the development and adoption of security technologies that protect data stored in hardware memory.

Developers need access to tools and packages that are available for CHERI — this is what the SDK that Codasip built and donated to the CHERI Alliance offers. The compiler is capable of generating the modified instructions. Anyone implementing CHERI on RISC-V chips can access the SDK, which is freely available on GitHub.

The SDK includes:

*   C/C++ compiler and toolchain based on LLVM17
    

*   QEMU open source emulator
    
*   OpenSBI implementation of the RISC-V Supervisor Binary Interface
    

*   Yocto build system for Linux
    
*   Basic user space environment based on Busybox
    

"As more organizations and governments discover the potential of the CHERI technology to protect us, we need to speed up the pace of making the technology available in real systems," Codasip CEO Ron Black said in a statement. "We have made a massive effort to implement a full Linux-capable SDK that we are now opening for everyone to use."

**About the Author**

Codasip Donates Tools to Develop Memory-Safe Chips

Operation Overload pushes dressed up Russian state propaganda with the aim of flooding the US with election disinformation.

Source: Jozef Polc via Alamy Stock Photo

In the final days of the 2024 US election season, Russian state-backed actors are pushing enormous amounts of fake news disguised as information from reputable news outlets with the intention of flooding the American news ecosphere with enough garbage to influence who eventually wins the White House.

The Kremlin's full-scale propaganda push, named Operation Overload by researchers at Recorded Future who uncovered the effort, is pretty basic: influence the outcome of the US election by overwhelming already thread-bare newsroom resources. If the handful of journalists and trusted news sources left standing in the US are endlessly deploying scarce investigative resources to chase down fake news, there are fewer journalists left to debunk the junk.

It's an effective tactic that has been used by Operation Overload before. The Russian state-backed group honed its fake news skills with similar campaigns in France recently, Recorded Future pointed out in its report.

"Previously attempting to undermine the 2024 French elections and the Paris Olympics, the operation is now shifting its focus to the 2024 US presidential election," the report warned. "It involves creating fake news sites, false fact-checking resources, and AI-generated audio that mimics legitimate media outlets."

The group also adds branding and logos that make the disinformation look like it's from a trusted US news organization, making it difficult for consumers to know what's real and what isn't.

**Taking Aim at Tim Walz**

Most recently, the Russian fake news farm has been pushing disinformation against vice presidential candidate Tim Walz.

"Based on newly available intelligence, for example, the IC assesses that Russian influence actors manufactured and amplified inauthentic content claiming illegal activity committed by the Democratic vice-presidential candidate during his earlier career," an alert from the office of the director of national intelligence warned on Tuesday.

Besides fake news doctored up to look like legitimate reports, AI-generated content, and flooding media with propaganda to fact check, the effort relies heavily on automated social media posts to continuously pump out bad information, Recorded Future said.

It's on Elon Musk's X platform where many of the Operation Overload disinformation gets a lot of traction. Three separate false narratives being pushed by the Russian troll farm against Walz in recent days were traced back to X accounts by CBS News.

In the days to come, Recorded Future warned Operation Overload will continue to push three distinct varieties of disinformation aimed at influencing the outcome of the US election: stoking political violence, targeting candidates, and vilifying Ukrainians as well as the LGBTQIA+ community.

"The operation seeks to directly inject influence content into mainstream discussion of contentious political issues, eroding public trust in the democratic process, provoking US domestic concerns of political violence and 'civil war,' and exploiting existing social divisions," the report explained.

Russian Trolls Pose as Reputable Media to Sow US Election Chaos

The risk of exploitation is heightened, thanks to a proof-of-concept that's been made publicly available.

Source: Ascannio via Alamy Stock Photo

A high-severity flaw in Microsoft SharePoint, tracked as CVE-2024-38094, is under active exploit.

The bug is a deserialization vulnerability, which is often used as attack vectors by malicious cyber actors and poses a serious threat to federal enterprises. If successfully exploited, it could give threat actors remote code execution capabilities. The vulnerability has earned a CVSS score of 7.2 out of 10.

"An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server," Microsoft reported in an alert. 

Patches for the flaw were released in July as part of a series of Patch Tuesday updates, and it has since been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog.

The risk of potential continued exploitation of the vulnerability is further heightened due to the fact that a proof-of-concept is now available on GitHub for public viewing.

No additional details about how the vulnerability is being actively exploited have been shared, but due to these developments, Federal Civilian Executive Branch (FCEB) agencies are required to apply the latest fixes by Nov. 12.

**About the Author**

Latest News