CVE-2023-24955: Critical Microsoft SharePoint Server Code Injection Advisory
Microsoft SharePoint Server contains a code injection vulnerability that allows an authenticated attacker with Site Owner privileges to execute code remotely.
FREQUENTLY ASKED
What is CVE-2023-24955 and why does it matter?
CVE-2023-24955 is a high-severity code injection vulnerability in Microsoft SharePoint Server. It matters because it allows authenticated attackers with Site Owner privileges to execute remote code on the server. With an EPSS score of 0.91677 and active exploitation status, this vulnerability is a high-priority target for threat actors, including ransomware groups.
Which versions of Microsoft SharePoint Server are affected?
Based on the available source data, Microsoft SharePoint Server version 16.0.0 is identified as the affected version. Administrators managing deployments within the 16.0.0 version branch should immediately audit their systems for vulnerability and ensure all security updates provided by Microsoft are applied to prevent unauthorized code execution.
Has a patch been released for CVE-2023-24955?
Yes, Microsoft has released official patches and remediation guidance for CVE-2023-24955. The fix is available through the Microsoft Security Response Center (MSRC). Organizations are urged to apply these updates immediately, as the vulnerability is currently being exploited in the wild and poses a significant risk to enterprise data integrity and availability.
What is the remediation deadline and what it means for compliance?
The remediation deadline is set for 2024-04-16. For federal agencies and organizations following CISA guidelines, this date represents the mandatory window to patch the vulnerability to comply with Binding Operational Directive (BOD) 22-01. Missing this deadline increases the risk of exploitation and may lead to non-compliance status during security audits.
How to check if an instance/deployment is affected?
To check if your deployment is affected, administrators should verify the version and build numbers of their SharePoint Server installation. If the version is 16.0.0 and the latest security patches from the MSRC (Microsoft Security Response Center) have not been applied, the instance is considered vulnerable. Monitoring for unusual administrative activity is also recommended.
CVE-2023-24955 is a high-severity code injection vulnerability affecting Microsoft SharePoint Server. With a CVSS score of 7.2, this flaw allows authenticated attackers possessing Site Owner privileges to execute arbitrary code on the underlying server infrastructure. Given the remediation deadline of April 16, 2024, and its known use by ransomware operators, immediate action is required for all organizations utilizing the affected SharePoint versions.
CWE-94: Improper Control of Generation of Code ('Code Injection')
Date Disclosed
2024-03-26
Remediation Deadline
2024-04-16
SSVC Exploitation Status
Active
Known Ransomware Use
Yes
EPSS Score & Percentile
0.91677 (99.7th Percentile)
Patch Available
Yes (MSRC Update Guide)
Technical Deep Dive into CWE-94 and SharePoint Exploitation
CVE-2023-24955 centers on CWE-94: Improper Control of Generation of Code ('Code Injection'). In the context of Microsoft SharePoint, code injection occurs when the application accepts input from a user and incorrectly incorporates that input into a code block that is subsequently executed by the server's runtime environment.
The Mechanics of the Attack
While Microsoft’s disclosure focuses on the high-level impact, code injection in SharePoint typically involves the exploitation of server-side components that handle web parts, site templates, or specialized API endpoints. Because the attacker requires Site Owner privileges (PR:H), the vulnerability is technically an escalation of capability. An attacker who has already compromised a high-privilege account, or a malicious insider, can bypass standard restrictions to execute system-level commands.
Analytically, this vulnerability represents a failure in the application's "sandbox" or input validation logic. Instead of treating Site Owner configurations as strictly data, the server interprets certain malformed inputs as executable instructions. This is particularly dangerous in SharePoint environments because the service often runs with high-level service account permissions (such as spfarm or local system), meaning the blast radius includes the entire document corpus, user databases, and potentially the broader Active Directory environment if the service account is over-privileged.
Active Exploitation and Risk Context
The SSVC Exploitation status is marked as "active," and the EPSS (Exploit Prediction Scoring System) score of 0.91677 places this vulnerability in the top 0.3% of all tracked CVEs. This data indicates that threat actors are actively leveraging CVE-2023-24955 in real-world attacks. Furthermore, the explicit mention of Known Ransomware Use suggests that ransomware groups are using this code injection flaw as a lateral movement or persistence mechanism after gaining an initial foothold in a corporate network.
Who Is Affected: Impact and Compliance Deadlines
This vulnerability impacts organizations running Microsoft SharePoint Server 16.0.0. While many organizations have transitioned to SharePoint Online (M365), a significant number of enterprise, government, and healthcare entities maintain on-premises SharePoint deployments for data sovereignty or legacy integration reasons. These on-premises environments are the primary targets.
CISA BOD 22-01 Compliance
Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-24955 to its Known Exploited Vulnerabilities (KEV) Catalog. For United States Federal Civilian Executive Branch (FCEB) agencies, patching this vulnerability is not optional; it is a mandate under Binding Operational Directive (BOD) 22-01. The Remediation Deadline of 2024-04-16 is the hard cutoff for these agencies. Private sector organizations are strongly encouraged to adhere to this same timeline to avoid becoming part of the active exploitation statistics reported by global SOCs.
Official Remediation Steps and Patching Guidance
Microsoft has provided a comprehensive security update to address the logic flaw in how SharePoint handles site-owner-controlled inputs. Follow these steps to secure your environment:
Identify Vulnerable Assets: Use asset discovery tools or PowerShell scripts to identify all SharePoint Server instances running version 16.0.0. Ensure you check all servers in the farm, including front-end web servers and application servers.
Perform a Full Backup: Before applying the update, perform a full backup of the SharePoint databases and the server states. This ensures a recovery path if the update process encounters environment-specific errors.
Apply the Security Update: Run the installer on all servers in the SharePoint farm. Note that SharePoint updates often require a subsequent run of the SharePoint Products Configuration Wizard (PSConfig.exe) to finalize the database schema changes and apply the code fixes fully.
Verify the Update: After the configuration wizard completes, check the "Servers in Farm" page in Central Administration to ensure the version numbers reflect the patched state.
Security Best Practices for SharePoint Hardening
Beyond patching, addressing CWE-94 requires a defense-in-depth strategy to minimize the attack surface of collaborative platforms. Implementing the following practices will mitigate the risk of similar vulnerabilities in the future:
Enforce Least Privilege (RBAC): Limit the number of users with "Site Owner" or "Full Control" permissions. Many users who request Site Owner status only require "Design" or "Contribute" permissions to perform their daily tasks. Reducing high-privilege accounts significantly narrows the pool of credentials an attacker can use to trigger CVE-2023-24955.
Network Segmentation: Isolate SharePoint servers within a dedicated VLAN. Use internal firewalls to restrict communication between the SharePoint farm and other sensitive network segments, such as domain controllers or financial databases.
Monitor for Anomalous Process Execution: Use Endpoint Detection and Response (EDR) tools on SharePoint servers to alert on suspicious child processes spawned by the SharePoint worker process (w3wp.exe). Execution of cmd.exe, powershell.exe, or net.exe from a web worker is a classic indicator of code injection exploitation.
Audit Site Configuration Changes: Enable robust auditing for administrative actions within SharePoint. Focus on changes to web parts, custom scripts, and site settings performed by high-privilege users. This provides a forensic trail in the event of an insider threat or credential compromise.
Web Application Firewall (WAF) Implementation: Deploy a WAF in front of SharePoint to inspect incoming HTTP traffic. While WAFs may not catch every sophisticated code injection attempt, they can block common exploit patterns and provide an additional layer of protection while patches are being tested and deployed.
Regular Vulnerability Scanning: Incorporate SharePoint servers into a weekly vulnerability scanning rotation. This ensures that missed patches or new zero-day vulnerabilities are identified before threat actors can exploit them, especially for products like SharePoint that are frequently targeted by ransomware affiliates.
Service Account Hardening: Ensure that the service accounts used by the SharePoint Timer Service and Web Application Pools are managed service accounts with restricted permissions in Active Directory. Avoid using Domain Admin credentials for SharePoint services, as this transforms a server compromise into a full forest compromise.