CISA warns of actively attacked SharePoint Server, asks for immediate patch

published: Jan. 11, 2024

Learn More

The US cybersecurity agency, CISA, recently issued an alert about active exploitation of a critical vulnerability in Microsoft SharePoint Server, tracked as CVE-2023-29357 (CVSS score 9.8).

This vulnerability, an elevation of privilege (EoP) flaw patched in June 2023a and with an avaliable PoC exploit since September 2023 enables unauthenticated attackers to gain administrator rights through a spoofed JSON Web Token (JWT) without requiring user interaction.

Although Microsoft has classified the flaw as 'exploitation more likely', it hasn't confirmed its active exploitation.

 

While CISA does not provide specific information on the observed exploitation, the agency told SecurityWeek in the past that it only adds security defects to the known explited vlnerability list based on solid evidence of active exploitation.

Following the PoC's release and evidence of its use in attacks, CISA added CVE-2023-29357 to its Known Exploited Vulnerabilities catalog, compelling federal agencies to patch vulnerable SharePoint instances within 21 days as per the Binding Operational Directive 22-01. While this directive specifically targets federal agencies, CISA recommends that all organizations review and address vulnerabilities listed in its catalog promptly.

CISA warns of actively attacked SharePoint Server, asks for immediate patch