CVE-2023-24955 Overview
CVE-2023-24955 is a Remote Code Execution (RCE) vulnerability affecting Microsoft SharePoint Server. This code injection vulnerability (CWE-94) allows authenticated attackers with Site Owner privileges to execute arbitrary code on affected SharePoint Server installations. The vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, making it a critical concern for organizations running on-premises SharePoint deployments.
Critical Impact
Authenticated attackers with Site Owner privileges can achieve remote code execution on SharePoint servers, potentially compromising enterprise collaboration infrastructure and sensitive business data.
Affected Products
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server Subscription Edition
Discovery Timeline
- 2023-05-09 - CVE-2023-24955 published to NVD
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2023-24955
Vulnerability Analysis
This vulnerability stems from improper code generation control (CWE-94) within Microsoft SharePoint Server. The flaw allows an authenticated attacker who possesses Site Owner permissions to inject and execute arbitrary code on the server. While the attack requires high privileges (Site Owner access), it can be exploited remotely over the network without any user interaction, making it particularly dangerous in environments where multiple users have elevated SharePoint permissions.
The exploitation of this vulnerability requires network access to the SharePoint server and valid credentials with Site Owner privileges. Once exploited, an attacker can achieve complete compromise of confidentiality, integrity, and availability on the affected system. This vulnerability is part of an exploitation chain that has been observed in real-world attacks, contributing to its inclusion in the CISA KEV catalog.
Root Cause
The root cause of CVE-2023-24955 is a code injection flaw (CWE-94: Improper Control of Generation of Code) in Microsoft SharePoint Server. The vulnerability exists due to insufficient validation and sanitization of user-controlled input, allowing Site Owners to inject malicious code that the server then executes in the context of the SharePoint application. This represents a failure in proper input validation and output encoding within SharePoint's processing logic.
Attack Vector
The attack vector for CVE-2023-24955 is network-based, requiring the attacker to have authenticated access to the SharePoint environment with Site Owner privileges. The attack flow involves:
- The attacker authenticates to the SharePoint server with valid Site Owner credentials
- The attacker crafts a malicious request containing injected code
- SharePoint Server processes the request without adequate validation
- The injected code executes on the server with the privileges of the SharePoint application pool identity
The vulnerability does not require any user interaction beyond the attacker's own actions, and the scope is unchanged, meaning the impact is confined to the vulnerable component but includes full compromise of the SharePoint server.
Detection Methods for CVE-2023-24955
Indicators of Compromise
- Unexpected process execution originating from SharePoint application pool processes (typically w3wp.exe)
- Anomalous PowerShell or command shell activity on SharePoint servers
- Unusual file creation or modification in SharePoint web directories
- Suspicious HTTP requests to SharePoint endpoints from Site Owner accounts
Detection Strategies
- Monitor SharePoint ULS logs for unusual error patterns or unexpected code execution attempts
- Implement network traffic analysis to detect anomalous requests to SharePoint servers
- Deploy endpoint detection and response (EDR) solutions on SharePoint servers to identify suspicious process chains
- Audit Site Owner account activity for unusual or unauthorized actions
Monitoring Recommendations
- Enable detailed logging on SharePoint servers and forward logs to SIEM solutions
- Configure alerts for process creation events from IIS application pools hosting SharePoint
- Monitor for lateral movement attempts originating from SharePoint server infrastructure
- Review SharePoint site collection audit logs for suspicious administrative actions
How to Mitigate CVE-2023-24955
Immediate Actions Required
- Apply the security update from Microsoft immediately on all affected SharePoint Server installations
- Review and audit Site Owner permissions across all SharePoint site collections
- Implement network segmentation to limit exposure of SharePoint servers
- Enable advanced threat protection and monitoring on SharePoint infrastructure
Patch Information
Microsoft has released security updates to address CVE-2023-24955. Organizations should apply the patches as soon as possible given the confirmed active exploitation of this vulnerability. Detailed patch information and download links are available from the Microsoft Security Update Guide. This vulnerability is also tracked in the CISA Known Exploited Vulnerabilities Catalog, which mandates federal agencies to remediate by specified deadlines.
Workarounds
- Restrict Site Owner permissions to only essential personnel and regularly audit these assignments
- Implement Web Application Firewall (WAF) rules to detect and block potential exploitation attempts
- Consider temporarily disabling internet-facing access to SharePoint servers until patches are applied
- Enable SharePoint's built-in audit logging to track administrative actions for forensic purposes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
