Combining MS SharePoint Server flaws achieve Remote Code Execution

published: Sept. 29, 2023

Take action: If you are behind on patching your Sharepoint Server, time to hustle. Because with a public PoC code of the exploit, it's just a matter of time before Sharepoint is attacked.

Learn More

Microsoft SharePoint Server has fixed two critical vulnerabilities, CVE-2023-29357 and CVE-2023-24955 which, when combined enable threat actors to execute remote code on the server. These vulnerabilities were initially discovered during the Zero Day Initiative’s Pwn2Own contest held in March 2023. STAR Labs found and reported the vulnerabilities, earning a $100,000 reward.

A security researcher named Nguyễn Tiến Giang published a GitHub repository with a proof-of-concept (PoC) for an exploit chain. This exploit combines the two identified vulnerabilities, enabling successful remote command execution.

  • CVE-2023-29357 (CVSS score 9.8) involves a critical Privilege Escalation vulnerability in Microsoft SharePoint Server. Threat actors could exploit this by sending a forged JSON Web Token (JWT) authentication token, elevating their privileges .
  • CVE-2023-24955 was a High severity Remote Command Execution vulnerability in the same SharePoint Server. Microsoft addressed both vulnerabilities in their May and June security patches.

The combination of both vulnerabilities resulted in an unauthenticated Remote Code Execution (RCE) on the Microsoft SharePoint Server. A proof-of-concept video was shared to demonstrate the potential attack and exploitation.


Combining MS SharePoint Server flaws achieve Remote Code Execution