AI Security AI安全 8d ago Updated 8d ago 更新于 8天前 42

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation SharePoint RCE CVE-2026-45659在活跃利用后被添加到CISA KEV

CISA added CVE-2026-45659, a high-severity remote code execution vulnerability in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities catalog due to active exploitation. The vulnerability stems from deserialization of untrusted data and requires only authenticated access with minimal permissions (Site Member level) to exploit. Microsoft identified parallel threat activity where two unrelated actors operated simultaneously in the same network, complicating attribution and incident CISA将SharePoint远程代码执行漏洞CVE-2026-45659(CVSS 8.8)加入已知被利用漏洞目录,因存在活跃利用证据。 微软披露一起复杂网络入侵事件,发现两个无关攻击者集群在同一网络中并行活动,增加了溯源难度。 攻击者Storm-2603利用Gladinet Triofox漏洞(CVE-2025-11371)获取初始访问权限,并使用Velociraptor等工具建立持久化访问。 攻击者通过DLL旁加载、自定义后门及易受攻击的驱动程序(NSecKrnl.sys)绕过端点安全保护并横向移动。 微软强调孤立信号无法反映全貌,建议安全团队关注跨组织、多攻击者并行的复杂威胁态势。

65
Hot 热度
60
Quality 质量
55
Impact 影响力

Analysis 深度分析

TL;DR

  • CISA added CVE-2026-45659, a high-severity remote code execution vulnerability in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities catalog due to active exploitation.
  • The vulnerability stems from deserialization of untrusted data and requires only authenticated access with minimal permissions (Site Member level) to exploit.
  • Microsoft identified parallel threat activity where two unrelated actors operated simultaneously in the same network, complicating attribution and incident response.
  • One actor, Storm-2603, leveraged a separate critical vulnerability (CVE-2025-11371) in Gladinet Triofox for initial access before deploying ransomware and establishing persistent backdoors.
  • Federal Civilian Executive Branch agencies are urged to patch SharePoint Server by July 4, 2026, while broader industry lessons highlight the complexity of multi-actor intrusions.

Why It Matters

This incident underscores the critical risk of deserialization flaws in enterprise collaboration platforms like SharePoint, which remain prime targets for ransomware groups. It demonstrates how attackers can combine known vulnerabilities with sophisticated persistence techniques to evade detection, emphasizing the need for comprehensive threat hunting rather than relying on isolated security signals.

Technical Details

  • Vulnerability Analysis: CVE-2026-45659 is a Remote Code Execution (RCE) flaw caused by insecure deserialization of untrusted data, carrying a CVSS score of 8.8. It affects SharePoint Server Subscription Edition, 2019, and 2016.
  • Attack Vector: Exploitation requires authentication but not elevated privileges; a user with Site Member permissions can trigger the RCE. Microsoft assessed the likelihood of exploitation as "Less Likely" despite active campaigns.
  • Initial Access Method: In the observed parallel attack, Storm-2603 utilized CVE-2025-11371 (CVSS 9.1) in Gladinet Triofox, probing for local file inclusion via requests for win.ini and web.config.
  • Persistence & Evasion: Attackers used Velociraptor to mimic admin behavior, established tunnels via Cloudflare, Zoho Assist, and SSH, and employed a vulnerable driver (NSecKrnl.sys) to disable endpoint security. A second actor used DLL side-loading and custom backdoors.

Industry Insight

  • Patch Urgency: Organizations running on-premises SharePoint or related services like Gladinet Triofox must prioritize immediate patching, especially given the active exploitation and CISA's KEV listing.
  • Holistic Defense Strategy: The presence of multiple concurrent threat actors in a single breach highlights the necessity for advanced detection capabilities that can identify lateral movement and anomalous tool usage (e.g., legitimate tools misused for tunneling).
  • Attribution Complexity: Security teams should prepare for investigations where multiple actors may be present, requiring deeper forensic analysis to distinguish between independent intrusions and coordinated campaigns.

TL;DR

  • CISA将SharePoint远程代码执行漏洞CVE-2026-45659(CVSS 8.8)加入已知被利用漏洞目录,因存在活跃利用证据。
  • 微软披露一起复杂网络入侵事件,发现两个无关攻击者集群在同一网络中并行活动,增加了溯源难度。
  • 攻击者Storm-2603利用Gladinet Triofox漏洞(CVE-2025-11371)获取初始访问权限,并使用Velociraptor等工具建立持久化访问。
  • 攻击者通过DLL旁加载、自定义后门及易受攻击的驱动程序(NSecKrnl.sys)绕过端点安全保护并横向移动。
  • 微软强调孤立信号无法反映全貌,建议安全团队关注跨组织、多攻击者并行的复杂威胁态势。

为什么值得看

本文揭示了当前高级持续性威胁(APT)和勒索软件攻击的新趋势,即多个无关攻击者在同一环境中并行操作以混淆视听,这对传统的安全检测逻辑提出了挑战。同时,针对企业核心协作平台SharePoint的高危漏洞被确认为活跃利用状态,为IT安全团队提供了紧迫的补丁部署依据和防御策略调整方向。

技术解析

  • SharePoint RCE漏洞详情:CVE-2026-45659是一个高危远程代码执行漏洞,源于不受信任数据的反序列化。CVSS评分为8.8,无需管理员权限,仅需最低“站点成员”权限即可触发。微软已于2026年5月发布修复程序,覆盖SharePoint Server订阅版、2019版及2016版。
  • 初始访问与持久化技术:攻击者Storm-2603疑似利用Gladinet Triofox的关键漏洞(CVE-2025-11371,CVSS 9.1)进行本地文件包含探测以获取初始访问。随后部署Velociraptor伪装成合法管理行为,并通过Cloudflare隧道、Zoho Assist和VS Code配置的SSH建立多重远程访问通道。
  • 权限提升与防御规避:攻击者创建新的本地和域管理员账户以提升权限,并利用易受攻击的驱动程序“NSecKrnl.sys”篡改端点安全保护,降低自身活动的可见性。另一攻击者集群则采用DLL旁加载和自定义后门技术。
  • 横向移动与影响范围:攻击不仅限于单一网络,还横向移动至第二个组织,确认了Storm-2603关联的勒索软件活动。这种重叠的活动流使得攻击者能够维持长期访问并掩盖入侵的全貌。

行业启示

  • 强化第三方组件与依赖管理:鉴于攻击者利用非核心但关键的第三方应用(如Gladinet Triofox)作为跳板,企业应全面审计所有联网组件的安全性,而不仅仅关注核心服务器。
  • 升级威胁检测与响应策略:面对多攻击者并行和混淆战术,传统的孤立信号检测已失效。安全团队需实施更广泛的上下文关联分析,监控异常的管理员账户创建、非标准远程访问工具的使用以及驱动程序的异常行为。
  • 紧急修补关键基础设施:对于已被CISA列入KEV目录且存在活跃利用的高危漏洞(如SharePoint RCE),必须优先安排补丁部署,特别是对于联邦民用行政部门及其他关键基础设施运营方,需严格遵守截止日期。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全