SharePoint Zero-Day, Linux RCE Bypass, & Advanced Kerberoasting Detection
Today's Highlights
This week features a critical actively exploited zero-day in Microsoft SharePoint requiring immediate attention, alongside a novel RCE technique bypassing noexec on hardened Linux systems. Additionally, new insights reveal crucial gaps in traditional Kerberoasting detection, particularly in mixed-encryption environments.
Stealthy RCE on Hardened Linux: noexec + Userland Execution PoC (r/netsec)
Source: https://reddit.com/r/netsec/comments/1skelmn/stealthy_rce_on_hardened_linux_noexec_userland/
This report details a novel Remote Code Execution (RCE) technique capable of bypassing common Linux hardening measures, specifically the noexec mount option. The noexec option is widely used to prevent the execution of binaries from certain file systems, typically /tmp or user-writable directories, as a fundamental safeguard against arbitrary code execution. This Proof-of-Concept (PoC) demonstrates a method to achieve user-land execution even when noexec is enforced, presenting a significant challenge to systems previously considered hardened against such attacks. The technique likely exploits nuances in how specific system calls or libraries handle execution, allowing code to be run from memory or through alternative execution paths not directly blocked by noexec.
This bypass is particularly concerning for environments where users can upload or generate files in directories mounted with noexec, as it undermines a core security control. Understanding this specific RCE vector is crucial for system administrators to re-evaluate their hardening strategies and implement more comprehensive protection against advanced code execution threats. The availability of a PoC suggests that this method is actionable and requires immediate attention for proactive defense planning and patching.
Comment: This PoC challenges a core Linux hardening principle, demonstrating how a fundamental control like noexec can be circumvented. It's a must-read for anyone managing Linux servers to refine existing policies and implement additional layers of defense.
New Microsoft SharePoint Zero-Day (CVE, April 15 2026) : Actively Exploited, CISA Deadline Already Set, Here's What You Need to Know (r/cybersecurity)
Source: https://reddit.com/r/cybersecurity/comments/1smf2gz/new_microsoft_sharepoint_zeroday_cve_april_15/
A critical new zero-day vulnerability (CVE, with an associated date of April 15, 2026, indicating either a future patch or a planned disclosure window) has been identified in Microsoft SharePoint and is confirmed to be actively exploited in the wild. This vulnerability is described as a spoofing flaw, which, despite an initial CVSS rating of 6.5 (medium severity), carries a significantly higher practical risk due to its active exploitation. CISA has already issued a deadline for addressing this vulnerability, underscoring its immediate and severe impact on organizations leveraging SharePoint.
Exploitation of such a spoofing vulnerability could enable attackers to impersonate legitimate users or system components within SharePoint, potentially leading to unauthorized access, data manipulation, or facilitating further lateral movement and privilege escalation within a compromised network. Organizations are strongly urged to prioritize patching and mitigation efforts immediately. Relying solely on the reported CVSS score for risk assessment is insufficient given the confirmed active exploitation, necessitating a rapid incident response and patching strategy to protect vulnerable SharePoint deployments.
Comment: An actively exploited SharePoint zero-day, regardless of its 'medium' severity rating, is an urgent call to action. Immediate patching and robust incident response protocols are paramount for all SharePoint users to mitigate potential breaches and protect critical data.
Kerberoasting detection gaps in mixed-encryption environments and why 0x17 filtering alone isn't enough (r/netsec)
Source: https://reddit.com/r/netsec/comments/1sm0afg/kerberoasting_detection_gaps_in_mixedencryption/
This analysis provides a deep dive into the shortcomings of conventional Kerberoasting detection methods, particularly in Active Directory environments still supporting a mix of RC4 and AES encryption. Kerberoasting is a prevalent post-exploitation technique where attackers request Service Principal Name (SPN) tickets, which contain hashes of service accounts. These hashes can then be extracted and cracked offline to obtain cleartext credentials.
The article highlights that the standard detection approach, often involving filtering for Event ID 4769 where the Ticket Options field does not include 0x17 (indicating RC4 encryption), is insufficient. In mixed-encryption environments, attackers can request service tickets using AES encryption, thereby bypassing RC4-specific detections. This necessitates a more sophisticated detection strategy. Security teams are advised to implement advanced detection logic that may include analyzing other relevant Kerberos event fields, establishing baselines for normal Kerberos activity, and correlating these with other security logs to effectively identify and thwart Kerberoasting attempts, irrespective of the encryption type used. This guidance is vital for enhancing authentication security and bolstering defensive techniques against sophisticated credential theft attacks.
Comment: This is a crucial deep dive for anyone defending Active Directory, exposing common Kerberoasting detection failures. It urges a shift to more robust, multi-faceted monitoring beyond simple RC4 filters to effectively counter credential theft.
Top comments (0)