Cybersecurity and Safety Agency of Infrastructures (CISA) has raised concerns regarding the active exploitation of vulnerabilities in the Microsoft Sharepoint system that enable attackers to carry out remote code execution (RCE).
The issue stems from two vulnerabilities, identified as CVE-2023-24955 and CVE-2023-29357, which when combined allow unauthorized attackers to gain administrative privileges on vulnerable Sharepoint servers and perform remote code execution.
The first vulnerability (CVE-2023-24955) permits attackers to exploit the owner’s rights and execute code on vulnerable servers, while the second vulnerability (CVE-2023-29357) enables the remote bypass of authentication using fake JWT tokens to obtain administrative privileges.
Both vulnerabilities can be leveraged for RCE attacks on susceptible servers, as demonstrated by a researcher from Star Labs at the PWN2own contest in Vancouver in March 2023.
Following the publication of examples of the vulnerabilities’ exploitation on GITHUB in September, numerous Proof of Concept (POC) exploits emerged, making it easier for less experienced attackers, including those released by Star Labs, to carry out attacks.
CISA has urged for the immediate mitigation of these vulnerabilities, adding CVE-2023-29357 to its catalog of well-known exploited vulnerabilities and directing US federal agencies to address the issue by the end of January. Recently, on March 26, the agency included CVE-2023-24955, mandating the safeguarding of Sharepoint servers by April 16th.
While CISA has not disclosed specific details regarding exploits using these vulnerabilities, it has emphasized that such issues are often targeted by cybercriminals and pose a significant risk.
CISA strongly advises not only federal agencies but also private organizations to prioritize addressing these vulnerabilities to