CVE-2023-24955

What is Microsoft SharePoint Server?

Microsoft SharePoint Server is a widely-deployed enterprise collaboration and document management platform used by organizations worldwide for intranet portals, document libraries, project management, and business workflows. SharePoint sites are administered through a role hierarchy — Site Owners hold the highest permissions within a site collection and can customize pages, manage permissions, and install code-level features. Because SharePoint often stores sensitive documents, credentials, and business data, and because it is accessible from both internal networks and the internet, it is a persistent high-value target for ransomware operators and nation-state actors.

Overview

CVE-2023-24955 is a server-side code injection vulnerability (CWE-94) in Microsoft SharePoint Server that allows an authenticated attacker with Site Owner privileges to execute arbitrary code on the server. While the CVSS PR:H (high privilege required) limits its standalone severity, the vulnerability became critically dangerous when chained with CVE-2023-29357 — a SharePoint elevation-of-privilege bug patched one month later that allows an unauthenticated attacker to forge authentication tokens and impersonate a Site Owner. Together, the two CVEs form a pre-authentication remote code execution chain that STAR Labs researchers demonstrated publicly at DEF CON 2023. CISA added CVE-2023-24955 to the KEV catalog in March 2024, reflecting confirmed exploitation with ransomware involvement.

Affected Versions

Technical Details

The code injection (CWE-94) exists in how SharePoint Server processes server-side markup or script in certain page configuration contexts accessible to Site Owners. By injecting malicious code into these fields, an authenticated Site Owner can cause the SharePoint application to execute arbitrary server-side code under the SharePoint service account — which typically runs with elevated Windows privileges.

In isolation (PR:H), this requires the attacker to already have Site Owner access. The attack surface becomes pre-authentication when CVE-2023-29357 is available:

1. CVE-2023-29357 (patched June 2023): SharePoint fails to properly validate JWT authentication tokens in certain API endpoints. An unauthenticated attacker can forge a JWT token claiming Site Owner identity without knowing any credentials. This provides the attacker with a valid authenticated session at the Site Owner level.
2. CVE-2023-24955: With the forged Site Owner session, the attacker injects server-side code through the vulnerable interface and achieves remote code execution on the SharePoint server.

The full chain — unauthenticated attacker → arbitrary code execution — requires both patches. Organizations that applied only the May 2023 update without the June 2023 update remain vulnerable to pre-auth RCE.

Discovery

CVE-2023-24955 was reported to Microsoft by security researchers. Jang (nguyenloc81) of STAR Labs SG demonstrated the combined CVE-2023-29357 + CVE-2023-24955 attack chain — delivering unauthenticated remote code execution — at DEF CON 2023. The public demonstration drove widespread awareness of the chain and likely contributed to exploitation activity that resulted in the March 2024 KEV addition.

Exploitation Context

SharePoint vulnerabilities have historically attracted ransomware operators due to the platform's prevalence in enterprise environments and its common role as a file repository containing sensitive data. The ransomwareUse: true designation reflects confirmed ransomware group involvement with this vulnerability chain. The nine-month gap between the May 2023 patch and the March 2024 KEV addition suggests exploitation was observed in incident response investigations well after the patches were available — consistent with organizations that patched CVE-2023-24955 in May but did not apply CVE-2023-29357 in June, leaving the pre-auth chain intact.

Remediation

1. Apply the May 2023 SharePoint cumulative update — patches CVE-2023-24955 directly.
2. Also apply the June 2023 SharePoint cumulative update — patches CVE-2023-29357, which blocks the unauthenticated elevation needed to exploit CVE-2023-24955 without credentials.
3. Apply all subsequent SharePoint patches — both CVEs must be patched to close the chain.
4. Restrict SharePoint Server access from the internet — place SharePoint behind a VPN or reverse proxy with authentication if external access is required; reduce attack surface for pre-auth exploitation attempts.
5. Audit Site Owner membership — review site collections for unexpected Site Owners or recently elevated accounts; remove unauthorized privileged accounts.
6. Review SharePoint ULS logs for indicators of exploitation: unusual page modifications, unexpected authentication tokens, or service account spawning unexpected processes.