CISA

CISA warns that attackers are now exploiting a Microsoft SharePoint code injection vulnerability that can be chained with a critical privilege escalation flaw for pre-auth remote code execution attacks.

Tracked as CVE-2023-24955, this SharePoint Server vulnerability enables authenticated attackers with Site Owner privileges to execute code remotely on vulnerable servers.

The second flaw (CVE-2023-29357) allows remote attackers to gain admin privileges on vulnerable SharePoint servers by circumventing authentication using spoofed JWT auth tokens.

These two SharePoint Server security vulnerabilities can be chained by unauthenticated attackers to gain RCE on unpatched servers, as STAR Labs researcher Nguyễn Tiến Giang (Janggggg) demonstrated during last year's March 2023 Pwn2Own contest in Vancouver.

A CVE-2023-29357 proof-of-concept exploit was released on GitHub on September 25, one day after the security researcher published a technical analysis describing the exploitation process.

Although the PoC exploit did not allow attackers to gain remote code execution on targeted systems, threat actors could still modify it to complete the chain with CVE-2023-24955 exploitation capabilities for RCE attacks.

Multiple PoC exploits targeting this chain have since surfaced online (including one released by Star Labs), making it easier for less skilled attackers to use it in their attacks.

One month later, CISA added the CVE-2023-29357 flaw to its Known Exploited Vulnerabilities Catalog and ordered U.S. federal agencies to patch it by the end of the month, on January 31.

On Tuesday, the cybersecurity agency also added the CVE-2023-24955 code injection vulnerability to its list of actively exploited security flaws. As mandated by the BOD 22-01 binding operational directive, federal agencies must secure their Sharepoint servers by April 16.

While CISA didn't share any details regarding attacks exploiting the two Sharepoint vulnerabilities, the cybersecurity agency did say it has no evidence they were used in ransomware attacks.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said.

While CISA's KEV catalog focuses on alerting federal agencies about vulnerabilities that should be addressed as soon as possible, private organizations are also advised to prioritize patching this exploit chain to block attacks.

Related Articles:

Palo Alto Networks fixes zero-day exploited to backdoor firewalls

Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks

CISA: Critical Microsoft SharePoint bug now actively exploited

Exploit released for Fortinet RCE bug used in attacks, patch now

Hackers exploit critical RCE flaw in Bricks WordPress site builder