SharePoint Vulnerability is Being Actively Exploited
A critical privilege elevation vulnerability in Microsoft SharePoint is reportedly being actively exploited. The vulnerability, which was patched in June, can be chained with other vulnerabilities to achieve remote code execution. The flaw, CVE-2023-29357,“allows attackers to use spoofed JSON web tokens (JWTs) to gain Administrator privileges on the SharePoint host.” The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog last week. US Federal Civilian Executive Branch agencies must address the vulnerability by January 31.
Details about this vulnerability, including PoC exploits, appear to have been available for a couple months now. If anything, adding it to the KEV catalog is a bit late. As with any KEV: Assume compromise at this point.
Any critical privilege elevation vulnerability in any product with “Share” in its name requires priority patching measured in days not multiple months to be at a due diligence level.
The flaw is in SharePoint Server 2019, version 16.0.0 below 16.0.1039.20005. CVE-2023-29357 has a CVSS score of 9.8. This can be exploited over the network with a low difficulty level. Verify that you’ve deployed the update, which came out in June; this would be a good time to discover and remediate any rogue or unmanaged SharePoint servers as well as look at why you’re still hosting SharePoint locally.
While adding the vulnerability to the KEV flags that it is being actively exploited, organizations should have already prioritized it for patching back in June. A RCE demonstration and separately, a POC privilege escalation attack was published shortly after the vulnerability was released. It was simply a matter of time for evildoers to work the vulnerability into their workflow and deploy an exploit.