CISA

CISA warns that attackers are now exploiting a Microsoft SharePoint code injection vulnerability that can be chained with a critical privilege escalation flaw for pre-auth remote code execution attacks.

Tracked as CVE-2023-24955, this SharePoint Server vulnerability enables authenticated attackers with Site Owner privileges to execute code remotely on vulnerable servers.

The second flaw (CVE-2023-29357) allows remote attackers to gain admin privileges on vulnerable SharePoint servers by circumventing authentication using spoofed JWT auth tokens.

These two SharePoint Server security vulnerabilities can be chained by unauthenticated attackers to gain RCE on unpatched servers, as STAR Labs researcher Nguyễn Tiến Giang (Janggggg) demonstrated during last year's March 2023 Pwn2Own contest in Vancouver.

A CVE-2023-29357 proof-of-concept exploit was released on GitHub on September 25, one day after the security researcher published a technical analysis describing the exploitation process.

Although the PoC exploit did not allow attackers to gain remote code execution on targeted systems, threat actors could still modify it to complete the chain with CVE-2023-24955 exploitation capabilities for RCE attacks.

Multiple PoC exploits targeting this chain have since surfaced online (including one released by Star Labs), making it easier for less skilled attackers to use it in their attacks.

One month later, CISA added the CVE-2023-29357 flaw to its Known Exploited Vulnerabilities Catalog and ordered U.S. federal agencies to patch it by the end of the month, on January 31.

On Tuesday, the cybersecurity agency also added the CVE-2023-24955 code injection vulnerability to its list of actively exploited security flaws. As mandated by the BOD 22-01 binding operational directive, federal agencies must secure their Sharepoint servers by April 16.

While CISA didn't share any details regarding attacks exploiting the two Sharepoint vulnerabilities, the cybersecurity agency did say it has no evidence they were used in ransomware attacks.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said.

While CISA's KEV catalog focuses on alerting federal agencies about vulnerabilities that should be addressed as soon as possible, private organizations are also advised to prioritize patching this exploit chain to block attacks.

Related Articles:

TellYouThePass ransomware exploits recent PHP RCE flaw to breach servers

CosmicSting flaw impacts 75% of Adobe Commerce, Magento sites

VMware fixes critical vCenter RCE vulnerability, patch now

Widely used modems in industrial IoT devices open to SMS attack

PHP fixes critical RCE flaw impacting all versions for Windows