Urgent Security Alert: Critical SharePoint Flaw Allows Full Server Takeover
A critical vulnerability in Microsoft SharePoint Server is being actively targeted, placing organizations at severe risk of a full-scale data breach and server compromise. This security flaw, identified as CVE-2023-29357, is exceptionally dangerous because it allows an attacker to gain administrator-level privileges without needing to authenticate or provide any credentials.
With a CVSS severity score of 9.8 out of 10, this is one of the most serious threats to affect the platform. The vulnerability enables attackers to impersonate any user on the targeted SharePoint server, including high-level administrators. This effectively hands them the keys to your entire SharePoint environment.
If your organization uses Microsoft SharePoint Server, immediate action is required to prevent a potentially devastating security incident.
How the SharePoint Vulnerability Works
At its core, CVE-2023-29357 is a privilege escalation vulnerability. It exploits a flaw in how SharePoint validates user identities, allowing a remote, unauthenticated attacker to spoof JSON Web Tokens (JWTs). By crafting a malicious token, they can trick the server into believing they are a legitimate, high-privilege user.
The most alarming aspect is the attack’s simplicity and lack of prerequisites. An attacker needs no prior access, no user credentials, and no special permissions—only network access to the vulnerable SharePoint server.
The “One-Two Punch”: Chaining Exploits for Maximum Damage
Security researchers have demonstrated that CVE-2023-29357 is often just the first step in a more devastating attack chain. Malicious actors are combining this privilege escalation flaw with a second vulnerability, CVE-2023-24955, which is a remote code execution (RCE) bug.
Here’s how the combined attack unfolds:
- Gain Admin Rights: The attacker first exploits CVE-2023-29357 to elevate their privileges to that of an administrator.
- Execute Malicious Code: With full admin control, they then leverage CVE-2023-24955 to execute arbitrary commands on the server.
The result of this chained exploit is a complete and remote server takeover. Attackers can then proceed without any restrictions.
What’s at Risk? The Real-World Impact for Your Business
An unpatched SharePoint server exposed to this threat is an open door for cybercriminals. The consequences of a successful exploit are severe and can include:
- Complete Data Theft: Attackers can access and exfiltrate all data stored on the SharePoint server. This includes sensitive corporate documents, intellectual property, employee records, and customer information.
- Ransomware Deployment: With full server control, attackers can deploy ransomware to encrypt all your files, grinding business operations to a halt.
- Business Disruption: Malicious actors could choose to simply delete data or disable the SharePoint service entirely, causing significant operational downtime.
- Persistent Backdoors: Once inside, attackers can create hidden backdoors to maintain long-term access to your network, even after the initial vulnerability is patched.
- Further Network Compromise: The compromised SharePoint server can be used as a staging ground to launch attacks against other critical systems within your corporate network.
Urgent Action Required: How to Secure Your SharePoint Server
Proof-of-concept exploits for this vulnerability are publicly available, and attackers are actively scanning the internet for unpatched systems. This is not a theoretical threat; it is an active and ongoing risk.
Follow these steps immediately to protect your organization:
- Identify Vulnerable Systems: First, determine if you are running a vulnerable version of Microsoft SharePoint Server. The flaw primarily affects SharePoint Server 2019.
- Apply Microsoft’s Security Patches: The most critical step is to install the security updates released by Microsoft immediately. These patches fully remediate the vulnerability. Do not delay this process.
- Scan for Indicators of Compromise (IoCs): Since attackers may have already breached unpatched servers, it is crucial to review server logs for any unusual or unauthorized activity. Look for suspicious access patterns, unexpected file modifications, or strange network traffic originating from the server.
- Enhance Network Security: As a best practice, restrict access to your SharePoint server’s management interface. Ensure it is not exposed directly to the public internet unless absolutely necessary. Placing the server behind a properly configured Web Application Firewall (WAF) can also provide an additional layer of defense against such exploits.
Protecting your digital assets requires proactive and vigilant security measures. Given the severity of this vulnerability and the active threats in the wild, treating this as a top-priority security task is essential for safeguarding your organization’s data and operational integrity.
Source: https://www.kaspersky.com/blog/toolshell-is-back-cve-2025-53771-53770/53905/
