CVE-2022-29108 Detection: Newly Discovered Flaw in Microsoft SharePoint Server


Microsoft Patch Tuesday for May 2022 brought to the daylight 74 flaws in Microsoft products, among them critical vulnerabilities, such as a CVE-2022–26923, along with the necessary fixes to mitigate them.

The new SharePoint Server remote code execution (RCE) vulnerability is similar to another Microsoft SharePoint RCE tagged CVE-2022-22005 that was discovered in February this year, allowing hackers to execute arbitrary commands on the compromised machines.

Detect CVE-2022-29108

To trace any exploitation patterns associated with CVE-2022-29108, utilize the Sigma rule released by our skilled threat hunter Aykut Gürses:

Malicious Initial Access by Exploitation of Microsoft SharePoint Server Remote Code Execution Vulnerability – (CVE-2022-29108) (via proxy)

This detection is available for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, QRadar, FireEye, LogPoint, Graylog, Regex Grep, Apache Kafka ksqlDB, Open Distro, and AWS OpenSearch.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Initial Access tactic with Exploit Public-Facing Application (T1190) as the primary technique.

To detect other possible security holes within your environment, see the full list of rules available in the Threat Detection Marketplace repository of the SOC Prime Platform: the View Detections button will provide you with access to 185,000+ unique content items. Crafting your own content? Join forces with the world’s largest cyber defense community of 23,000+ experts powered by the Threat Bounty Program to get professional guidance and earn a stable income by sharing your detection content.

View Detections Join Threat Bounty

CVE-2022-29108 Analysis

On May 10, 2022, Microsoft announced 73 new CVEs, six of which were deemed critical. With several CVEs reissued, the total number of flaws on the May Patch Tuesday list grew up to 77.

Among other critical bugs disclosed, a SharePoint Server RCE flaw calls for immediate attention, claiming a patching priority. SharePoint is a tool for team collaboration, designed to integrate with Microsoft Office, that has been on the market for over 20 years. The platform is popular with roughly 190 million users worldwide, making it a ripe target for threat actors.

The flaw tracked as CVE-2022-29108 grants a hacker the ability to move laterally within a network. The CVE-2022-29108 analysis shows that this RCE bug holds huge potential for exploits, enabling adversaries to steal sensitive data or plant malicious files laced with macros for future attacks.

A proactive cybersecurity strategy is a time-tested solution that progressive organizations are striving to implement to strengthen their cyber defense capabilities. Bulk up your security arsenal with SOC Prime’s detection content for the most recent threats, CVEs, and exploits, ensuring seamless integration with your SIEM, EDR, and XDR solution.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts