9.8 Severity! Hackers Weaponize SharePoint Flaw, CISA Warns of Attacks

The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw affecting Microsoft SharePoint Server to its catalog of Known Exploited Vulnerabilities (KEV). This decision was based on evidence of active exploitation of the vulnerability.

The issue designated CVE-2023-29357 and assigned a critical CVSS rating of 9.8, is an elevation of privilege flaw that can be exploited by malicious actors to gain administrative rights. Microsoft released a patch addressing this issue in June 2023, yet hackers continue to actively exploit it in attacks on vulnerable SharePoint Server instances.

In exploiting the vulnerability, an attacker, having accessed counterfeit JWT tokens, can use them to conduct a network attack, circumventing the authentication system and gaining access to the privileges of an authenticated user. This requires no special rights on the part of the attacker, and no action is required from the user.

The remote code execution chain combines an authentication bypass vulnerability (CVE-2023–29357) with a code injection vulnerability (CVE-2023-24955, CVSS 7.2). The latter was addressed in May 2023.

Security expert Nguyễn Tiến Giang (Jang) from StarLabs noted in his technical report published in September 2023 that the process of detecting and developing this exploitation chain took nearly a year of intensified research.

Specific details about the real-world use of CVE-2023–29357, as well as the identity of the perpetrators exploiting this vulnerability, remain unknown at this time. Nevertheless, U.S. federal agencies are advised to apply all necessary patches by January 31, 2024, to protect against this active threat.