CISA Flags Active Exploitation of Microsoft SharePoint Vulnerability

12.01.2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a critical security vulnerability affecting Microsoft SharePoint Server in its Known Exploited Vulnerabilities (KEV) catalog, highlighting evidence of ongoing exploitation.

Identified as CVE-2023-29357 with a CVSS score of 9.8, this is a privilege escalation flaw that could enable an attacker to attain administrator privileges. Microsoft addressed this vulnerability through patches released in its June 2023 Patch Tuesday updates.

According to Microsoft, “An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user. The attacker needs no privileges nor does the user need to perform any action.”

Security researcher Nguyễn Tiến Giang (Jang) from StarLabs SG demonstrated an exploit for this flaw at the Pwn2Own Vancouver hacking contest, earning a $100,000 prize. The exploit involves a pre-authenticated remote code execution chain that combines authentication bypass (CVE-2023–29357) with a code injection bug (CVE-2023-24955, CVSS score: 7.2), the latter of which Microsoft patched in May 2023.

Tiến Giang noted in a technical report published in September 2023 that “The process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and research to complete the full exploit chain.”

While specific details about real-world exploitation of CVE-2023–29357 and the identity of potential threat actors remain unknown, federal agencies are strongly advised to apply the provided patches by January 31, 2024, to safeguard against the active threat.