A remote code execution (RCE) vulnerability in the Microsoft SharePoint document management platform, is being exploited by threat actors seeking to compromise corporate networks, a new report from Rapid7 warns.

Tracked as CVE-2024-38094, the flaw affects Microsoft SharePoint’s on-premise installations and is related to insecure input validation when processing serialized data. The issue was fixed as part of Microsoft’s July 2024 Patch Tuesday release.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-38094 to its Known Exploited Vulnerability Catalog, indicating its active exploitation.

According to the Rapid7 report, the attackers exploited CVE-2024-38094 to gain unauthorized access to a vulnerable SharePoint server and compromised an entire domain. The intruders remained undetected for over two weeks, using their initial access to establish deep footholds and expand control across the network.

The attackers leveraged a publicly available proof-of-concept exploit to access the SharePoint server and deploy a webshell. They then breached a Microsoft Exchange service account with domain administrator privileges, gaining elevated access and bypassing conventional security measures.

After this, the threat actors deployed Huorong Antivirus using a batch script (“hrword install.bat”), establishing a custom service called “sysdiag” that installed a driver (“sysdiag_win10.sys”) and executed “HRSword.exe” through a VBS script. The Huorong Antivirus installation caused multiple system conflicts, effectively disabling legitimate antivirus defenses and enabling the installation of the open-source Impacket framework for lateral movement.

Next, the attackers moved through the network, deploying tools like Mimikatz for credential harvesting and FRP for remote access. Scheduled tasks were set up to maintain persistence on compromised systems. To avoid detection, they disabled Windows Defender, altered event logs, and manipulated system logging to obscure their activities. Rapid7’s analysis also found that the attackers used additional tools such as everything.exe for network scanning, Certify.exe for generating ADFS certificates, and kerbrute for brute-forcing Active Directory tickets.

“The attacker failed to compromise the third-party backup solution but attempted multiple methods, including access via the browser using compromised credentials and connecting over SSH,” the report noted.

That being said, users who have not applied the relevant updates are urged to do so as soon as possible to prevent the abuse of their Microsoft SharePoint installations.