CVE-2023-24955

CVE-2023-24955 is a high-severity vulnerability in Microsoft Sharepoint Enterprise Server with a CVSS 3.x base score of 7.2. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-03-26). The underlying weakness is classified as CWE-94.

Key facts

Description

Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2023-24955: Microsoft SharePoint Server Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2023-24955
Published 2023-05-09
Severity HIGH (CVSS 3.1: 7.2)
CWE CWE-94: Improper Control of Generation of Code (Code Injection)
EPSS 85.40% (99.7th percentile)
CISA KEV Yes (added 2024-03-26)
EU Exploited Yes (since 2024-03-26)

Summary

Microsoft SharePoint Server is affected by a remote code execution vulnerability stemming from improper code injection controls. An attacker with high-level privileges can exploit this flaw to execute arbitrary code on the target SharePoint server. The vulnerability carries a CVSS 3.1 score of 7.2 (HIGH) and has been actively exploited in the wild, as confirmed by both CISA's Known Exploited Vulnerabilities catalog and the EU vulnerability database.

Background

SharePoint Server is Microsoft's on-premises collaboration and document management platform widely deployed in enterprise environments. It integrates with Active Directory, OneDrive, and Office Online Server to provide intranet portals, document repositories, and team collaboration spaces. Given its privileged position in enterprise networks and its access to sensitive business data, any remote code execution vulnerability in SharePoint represents a critical security concern for organizations relying on this platform.

Root Cause

CWE-94: Improper Control of Generation of Code ('Code Injection')

The vulnerability exists because SharePoint Server fails to properly sanitize or validate user-supplied input before using it in code generation or execution contexts. When an attacker with administrative or high-privilege access supplies crafted input, the application interprets it as executable code rather than data. This code injection weakness allows the attacker to break out of intended data-processing boundaries and execute arbitrary commands within the security context of the SharePoint application pool or underlying operating system.

Impact

The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H reveals the following impact profile:

  • Attack Vector (AV): Network — The vulnerability can be exploited remotely over the network.
  • Attack Complexity (AC): Low — No special conditions or advanced techniques are required beyond having the requisite privileges.
  • Privileges Required (PR): High — The attacker must possess high-privilege credentials (typically administrative access to SharePoint).
  • User Interaction (UI): None — No victim interaction is needed once the attacker has the required privileges.
  • Scope (S): Unchanged — The vulnerable component and impacted component are the same.
  • Confidentiality, Integrity, Availability (C/I/A): All HIGH — Successful exploitation grants the attacker complete control over the SharePoint server, enabling data exfiltration, content tampering, and service disruption.

Real-World Exploitation Context:

  • EPSS score of 85.40% (99.7th percentile) indicates an extremely high probability of observed exploitation.
  • Listed in the CISA Known Exploited Vulnerabilities (KEV) catalog since March 26, 2024.
  • Flagged as actively exploited by the EU vulnerability database since the same date.

These indicators confirm that threat actors are weaponizing this vulnerability in practice, not merely in theory.

Exploitation Walkthrough

Ethics Note: This section describes the exploitation vector from a defensive perspective to help security teams understand how the attack works and what to monitor for. No weaponized exploit code is provided.

Given the PR:HIGH requirement, exploitation begins after an attacker has already compromised or otherwise obtained high-privilege credentials within the SharePoint environment (e.g., SharePoint farm administrator or application pool identity). With these credentials, the attacker interacts with a SharePoint administrative interface, API endpoint, or configuration panel that fails to adequately sanitize input before passing it to an evaluative or code-execution function.

Typical exploitation flow:

  1. Authentication: The attacker authenticates to SharePoint using compromised high-privilege credentials.
  2. Input Injection: Through an administrative page, web part, or API call, the attacker submits crafted input containing executable code constructs (e.g., serialized objects, script blocks, or command strings).
  3. Server-Side Execution: SharePoint processes the input without proper validation, passing it to a code execution path (such as deserialization, dynamic expression evaluation, or script compilation).
  4. Post-Exploitation: The injected code runs with the privileges of the SharePoint worker process, granting the attacker a foothold on the server.

Because the attack complexity is rated LOW, the exploitation does not require bypassing advanced mitigations beyond the initial privilege requirement. Organizations should treat any account with SharePoint administrative privileges as a high-value target requiring strong protection.

Affected and Patched Versions

Affected Products:

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server (Subscription Edition)

Patched Versions:
Microsoft has released security updates for this vulnerability. Refer to the Microsoft Security Response Center advisory for specific security update packages and KB article numbers applicable to your SharePoint version and build.

Remediation

  1. Apply Security Updates: Install the latest security updates from Microsoft as outlined in the MSRC advisory for CVE-2023-24955. Prioritize patching externally accessible SharePoint servers.

  2. Compensating Controls:

    • Restrict Administrative Access: Limit SharePoint farm administrator and site collection administrator roles to the minimum number of personnel required. Enforce just-in-time (JIT) access where possible.
    • Network Segmentation: Place SharePoint servers in isolated network segments with strict ingress/egress filtering. Restrict administrative interfaces to internal networks or trusted jump hosts only.
    • Credential Protection: Enforce multi-factor authentication (MFA) for all SharePoint administrative accounts. Monitor for anomalous authentication events.
    • Application Whitelisting: Implement application control policies to prevent unauthorized code execution on SharePoint servers.
    • Input Validation Reviews: If custom SharePoint solutions, web parts, or farm solutions are deployed, audit them for code injection vulnerabilities (CWE-94) and ensure all user input is strictly validated.

Detection

Security teams should monitor for the following indicators:

  • Authentication Anomalies: Unusual login patterns for SharePoint administrative accounts, especially from unexpected source IP addresses or outside business hours.
  • Web Server Logs: POST requests to SharePoint administrative endpoints or API paths with unusually large or encoded payloads that may indicate injection attempts.
  • Process Execution: Unexpected child processes spawned by SharePoint worker processes (e.g., w3wp.exe spawning command shells, PowerShell, or scripting engines).
  • File System Changes: Unauthorized modifications to SharePoint content databases, configuration files, or the layouts and bin directories.
  • Network Connections: Outbound connections from SharePoint servers to external or unexpected destinations, which may indicate post-exploitation command-and-control activity.
  • Endpoint Detection: Alerts triggered by endpoint protection platforms detecting in-memory code execution or suspicious script activity within the SharePoint application context.

Assessment

CVE-2023-24955 represents a confirmed, actively exploited remote code execution vulnerability in a core enterprise collaboration platform. While the high privilege requirement (PR:H) limits the attack surface to compromised or insider-administrative accounts, the LOW attack complexity and HIGH impact across confidentiality, integrity, and availability make it a serious threat in environments where administrative credentials are not rigorously protected.

The EPSS score of 85.40% and inclusion in both the CISA KEV catalog and the EU exploited vulnerabilities list are clear signals that this vulnerability is not merely theoretical — it is being leveraged by real threat actors. Organizations running affected SharePoint versions should treat patching as urgent, particularly for internet-facing or multi-tenant deployments.

Key Lessons:

  1. Privileged access is the new perimeter. Even "authenticated-only" vulnerabilities can have severe consequences when administrative accounts are insufficiently protected. MFA, privileged access workstations, and continuous credential monitoring are essential.
  2. EPSS + KEV together provide stronger prioritization signals than CVSS alone. A CVSS 7.2 might not always trigger immediate emergency patching, but the combination of a 99.7th-percentile EPSS score and active KEV listing should.

References

Frequently asked questions

What is CVE-2023-24955?
Microsoft SharePoint Server Remote Code Execution Vulnerability
How severe is CVE-2023-24955?
CVE-2023-24955 has a CVSS 3.x base score of 7.2, rated high severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-24955 being actively exploited?
Yes. CVE-2023-24955 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-03-26, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-24955?
CVE-2023-24955 primarily affects Microsoft Sharepoint Enterprise Server. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-24955?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-24955 have an EU (EUVD) identifier?
Yes. CVE-2023-24955 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-28942. It is also flagged as exploited in the EUVD (since 2024-03-26).
When was CVE-2023-24955 published?
CVE-2023-24955 was published on 2023-05-09 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Microsoft Sharepoint Enterprise Server

All CVEs affecting Microsoft Sharepoint Enterprise Server →

Other CWE-94 (Code Injection) vulnerabilities

Browse all CWE-94 (Code Injection) vulnerabilities →