Security researchers have uncovered critical vulnerabilities in Microsoft SharePoint Server and have released details of an exploit chain that combines these flaws to enable remote code execution (RCE) on affected servers.
Furthermore, one of the vulnerabilities, CVE-2023-29357, allows unauthenticated attackers to gain administrator privileges by using a spoofed JSON Web Token (JWT) to bypass authentication checks.
The other flaw, CVE-2023-24955, is an RCE vulnerability that permits remote attackers to execute arbitrary code on various SharePoint Server versions. These vulnerabilities have been rated with high severity and are considered likely targets for exploitation by threat actors, with over 100,000 Internet-exposed SharePoint servers potentially affected.
Researchers from StarLabs developed an exploit chain that leverages these vulnerabilities to achieve pre-authentication RCE on affected systems, demonstrating its capabilities.
Additionally, an independent security researcher posted proof-of-concept code on GitHub, showing how attackers could gain admin privileges on unpatched SharePoint Server 2019 systems using CVE-2023-29357.
While this exploit primarily focuses on privilege escalation, it can be combined with CVE-2023-24955 to compromise the confidentiality, integrity, and availability of affected SharePoint servers. As these vulnerabilities are now publicly known, organizations running SharePoint Server, particularly version 2019, are urged to take immediate action to mitigate the risks.