CVE-2023-29357

What is Microsoft SharePoint Server?

Microsoft SharePoint Server is an enterprise collaboration and content management platform used by organizations worldwide to host intranets, document libraries, project sites, and business workflows. SharePoint integrates deeply with Active Directory and Microsoft 365, often storing sensitive organizational documents, project files, and business data. SharePoint Server (on-premises) is widely deployed in government agencies, regulated industries, and large enterprises. Because SharePoint handles organizational authentication via Azure AD/Microsoft identity tokens, vulnerabilities in its token validation can allow complete authentication bypass — providing access to all SharePoint content the organization has stored.

Overview

CVE-2023-29357 is a critical privilege escalation vulnerability in Microsoft SharePoint Server that allows an unauthenticated attacker to bypass authentication by presenting specially crafted, spoofed JWT authentication tokens — gaining administrator-level access to a SharePoint instance. When chained with CVE-2023-24955 (a SharePoint Server RCE vulnerability), it creates a complete pre-authentication remote code execution exploit chain. The combined chain was demonstrated by STAR Labs at Pwn2Own Vancouver 2023. CISA added it to KEV in January 2024, seven months after the patch, confirming active exploitation.

Affected Versions

Technical Details

CWE-303 (Incorrect Implementation of Authentication Algorithm). SharePoint Server's authentication pipeline validates JWT tokens used for API and application authentication. A flaw in the token validation logic allows an attacker to craft a JWT token that SharePoint accepts as valid without proper cryptographic verification. By presenting a spoofed JWT token claiming administrator identity, an unauthenticated attacker gains SharePoint administrator privileges — including the ability to access all document libraries, manage sites, and execute server-side code through SharePoint's APIs.

The exploit chain combining CVE-2023-29357 and CVE-2023-24955:

1. CVE-2023-29357: Craft a spoofed JWT token to authenticate as a SharePoint administrator
2. CVE-2023-24955: Exploit SharePoint's site master page injection (accessible to authenticated site owners) to inject server-side code that executes on the SharePoint server

Together, the chain achieves unauthenticated pre-auth RCE — executing arbitrary code on the SharePoint server as a privileged service account. The chain was demonstrated at Pwn2Own Vancouver 2023 by STAR Labs, earning a $100,000 prize.

Discovery

CVE-2023-29357 was patched by Microsoft in June 2023 Patch Tuesday. The complete RCE chain with CVE-2023-24955 was demonstrated publicly by STAR Labs at Pwn2Own Vancouver in August 2023 after responsible disclosure and patching. The 7-month gap between patch and CISA KEV addition (January 2024) reflects the time it took for exploitation to become widespread enough for CISA to catalog it.

Exploitation Context

SharePoint Server is a high-value target for both data theft and ransomware: as a central document repository, it contains concentrated organizational data that ransomware groups can encrypt for maximum leverage, and that espionage actors can exfiltrate for intelligence collection. The Pwn2Own demonstration publicized the full attack chain, and ransomware operators incorporated it into initial access toolkits against on-premises SharePoint deployments — particularly targeting organizations that had not applied the June 2023 Patch Tuesday update promptly.

Remediation

1. Apply the June 2023 Microsoft security updates (Patch Tuesday) to all SharePoint Server 2019 and 2016 instances.
2. Also apply patches for CVE-2023-24955 (SharePoint Server RCE) — both are required to block the complete exploitation chain.
3. Ensure SharePoint Server management interfaces and central admin are not internet-accessible — they should require VPN or be restricted to management networks.
4. Review SharePoint ULS (Unified Logging Service) logs for unusual authentication events, particularly API requests with unexpected JWT token patterns or access from unfamiliar source IPs.
5. Audit SharePoint site master pages and web part configurations for unauthorized modifications that could indicate exploitation of CVE-2023-24955 code injection.
6. Consider migrating to SharePoint Online (Microsoft 365) where Microsoft handles patching — on-premises SharePoint deployments rely on timely patching by administrators.