Microsoft SharePoint Server products have recently been targeted by threat actors exploiting critical vulnerabilities. This includes CVE-2023-29357 and CVE-2023-24955 [1] [4], which allow attackers to achieve remote code execution and bypass authentication [4]. These vulnerabilities pose a significant risk to organizations using SharePoint servers.

Description

CVE-2023-29357 allows attackers to elevate their privilege to administrator level by using spoofed JSON Web Tokens (JWT). On the other hand, CVE-2023-24955 enables remote code execution on SharePoint servers [3] [4]. Microsoft has responded to these vulnerabilities by releasing security updates, including a patch for the critical elevation of privilege vulnerability CVE-2023-29357 [2]. However, it is estimated that over 100,000 Internet-exposed SharePoint servers could still be affected [3].

Researchers have disclosed the details of a serious exploit that combines these two critical vulnerabilities [3], and proof-of-concept (PoC) exploits for CVE-2023-29357 have been released [2]. This increases the risk further, as attackers now have a blueprint to exploit these vulnerabilities. It is crucial for organizations to take proactive steps to secure their SharePoint Server environments and promptly install the necessary security updates.

Conclusion

The exploitation of these vulnerabilities can have severe consequences for organizations using SharePoint servers. It is imperative for organizations to prioritize the security of their SharePoint Server environments and promptly apply the available security updates. Failure to do so could result in unauthorized access, data breaches, and potential damage to the organization’s reputation. By taking proactive measures, organizations can mitigate the risk and protect themselves against potential exploits.

References

[1] https://www.linkedin.com/pulse/flash-alert-exploitation-vulnerabilities-sharepoint
[2] https://socprime.com/blog/cve-2023-29357-detection-microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploitation-can-lead-to-pre-auth-rce-chain/
[3] https://cybersecurity-see.com/researchers-reveal-new-rce-exploit-chain-for-sharepoint/
[4] https://sosintel.co.uk/flash-alert-exploitation-of-vulnerabilities-in-sharepoint/