CVE-2023-24955
CVE-2023-24955 is a high-severity vulnerability in Microsoft Sharepoint Enterprise Server with a CVSS 3.x base score of 7.2. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-03-26). The underlying weakness is classified as CWE-94.
Key facts
- Severity: High (CVSS 3.x base score 7.2)
- EPSS exploit prediction: 85% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-03-26)
- EU (EUVD) id: EUVD-2023-28942
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-03-26)
- Weakness: CWE-94
- Affected product: Microsoft Sharepoint Enterprise Server
- Published:
- Last modified:
Description
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2023-24955: Microsoft SharePoint Server Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2023-24955 |
| Published | 2023-05-09 |
| Severity | HIGH (CVSS 3.1: 7.2) |
| CWE | CWE-94: Improper Control of Generation of Code (Code Injection) |
| EPSS | 85.40% (99.7th percentile) |
| CISA KEV | Yes (added 2024-03-26) |
| EU Exploited | Yes (since 2024-03-26) |
Summary
Microsoft SharePoint Server is affected by a remote code execution vulnerability stemming from improper code injection controls. An attacker with high-level privileges can exploit this flaw to execute arbitrary code on the target SharePoint server. The vulnerability carries a CVSS 3.1 score of 7.2 (HIGH) and has been actively exploited in the wild, as confirmed by both CISA's Known Exploited Vulnerabilities catalog and the EU vulnerability database.
Background
SharePoint Server is Microsoft's on-premises collaboration and document management platform widely deployed in enterprise environments. It integrates with Active Directory, OneDrive, and Office Online Server to provide intranet portals, document repositories, and team collaboration spaces. Given its privileged position in enterprise networks and its access to sensitive business data, any remote code execution vulnerability in SharePoint represents a critical security concern for organizations relying on this platform.
Root Cause
CWE-94: Improper Control of Generation of Code ('Code Injection')
The vulnerability exists because SharePoint Server fails to properly sanitize or validate user-supplied input before using it in code generation or execution contexts. When an attacker with administrative or high-privilege access supplies crafted input, the application interprets it as executable code rather than data. This code injection weakness allows the attacker to break out of intended data-processing boundaries and execute arbitrary commands within the security context of the SharePoint application pool or underlying operating system.
Impact
The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H reveals the following impact profile:
- Attack Vector (AV): Network — The vulnerability can be exploited remotely over the network.
- Attack Complexity (AC): Low — No special conditions or advanced techniques are required beyond having the requisite privileges.
- Privileges Required (PR): High — The attacker must possess high-privilege credentials (typically administrative access to SharePoint).
- User Interaction (UI): None — No victim interaction is needed once the attacker has the required privileges.
- Scope (S): Unchanged — The vulnerable component and impacted component are the same.
- Confidentiality, Integrity, Availability (C/I/A): All HIGH — Successful exploitation grants the attacker complete control over the SharePoint server, enabling data exfiltration, content tampering, and service disruption.
Real-World Exploitation Context:
- EPSS score of 85.40% (99.7th percentile) indicates an extremely high probability of observed exploitation.
- Listed in the CISA Known Exploited Vulnerabilities (KEV) catalog since March 26, 2024.
- Flagged as actively exploited by the EU vulnerability database since the same date.
These indicators confirm that threat actors are weaponizing this vulnerability in practice, not merely in theory.
Exploitation Walkthrough
Ethics Note: This section describes the exploitation vector from a defensive perspective to help security teams understand how the attack works and what to monitor for. No weaponized exploit code is provided.
Given the PR:HIGH requirement, exploitation begins after an attacker has already compromised or otherwise obtained high-privilege credentials within the SharePoint environment (e.g., SharePoint farm administrator or application pool identity). With these credentials, the attacker interacts with a SharePoint administrative interface, API endpoint, or configuration panel that fails to adequately sanitize input before passing it to an evaluative or code-execution function.
Typical exploitation flow:
- Authentication: The attacker authenticates to SharePoint using compromised high-privilege credentials.
- Input Injection: Through an administrative page, web part, or API call, the attacker submits crafted input containing executable code constructs (e.g., serialized objects, script blocks, or command strings).
- Server-Side Execution: SharePoint processes the input without proper validation, passing it to a code execution path (such as deserialization, dynamic expression evaluation, or script compilation).
- Post-Exploitation: The injected code runs with the privileges of the SharePoint worker process, granting the attacker a foothold on the server.
Because the attack complexity is rated LOW, the exploitation does not require bypassing advanced mitigations beyond the initial privilege requirement. Organizations should treat any account with SharePoint administrative privileges as a high-value target requiring strong protection.
Affected and Patched Versions
Affected Products:
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server (Subscription Edition)
Patched Versions:
Microsoft has released security updates for this vulnerability. Refer to the Microsoft Security Response Center advisory for specific security update packages and KB article numbers applicable to your SharePoint version and build.
Remediation
-
Apply Security Updates: Install the latest security updates from Microsoft as outlined in the MSRC advisory for CVE-2023-24955. Prioritize patching externally accessible SharePoint servers.
-
Compensating Controls:
- Restrict Administrative Access: Limit SharePoint farm administrator and site collection administrator roles to the minimum number of personnel required. Enforce just-in-time (JIT) access where possible.
- Network Segmentation: Place SharePoint servers in isolated network segments with strict ingress/egress filtering. Restrict administrative interfaces to internal networks or trusted jump hosts only.
- Credential Protection: Enforce multi-factor authentication (MFA) for all SharePoint administrative accounts. Monitor for anomalous authentication events.
- Application Whitelisting: Implement application control policies to prevent unauthorized code execution on SharePoint servers.
- Input Validation Reviews: If custom SharePoint solutions, web parts, or farm solutions are deployed, audit them for code injection vulnerabilities (CWE-94) and ensure all user input is strictly validated.
Detection
Security teams should monitor for the following indicators:
- Authentication Anomalies: Unusual login patterns for SharePoint administrative accounts, especially from unexpected source IP addresses or outside business hours.
- Web Server Logs: POST requests to SharePoint administrative endpoints or API paths with unusually large or encoded payloads that may indicate injection attempts.
- Process Execution: Unexpected child processes spawned by SharePoint worker processes (e.g.,
w3wp.exespawning command shells, PowerShell, or scripting engines). - File System Changes: Unauthorized modifications to SharePoint content databases, configuration files, or the
layoutsandbindirectories. - Network Connections: Outbound connections from SharePoint servers to external or unexpected destinations, which may indicate post-exploitation command-and-control activity.
- Endpoint Detection: Alerts triggered by endpoint protection platforms detecting in-memory code execution or suspicious script activity within the SharePoint application context.
Assessment
CVE-2023-24955 represents a confirmed, actively exploited remote code execution vulnerability in a core enterprise collaboration platform. While the high privilege requirement (PR:H) limits the attack surface to compromised or insider-administrative accounts, the LOW attack complexity and HIGH impact across confidentiality, integrity, and availability make it a serious threat in environments where administrative credentials are not rigorously protected.
The EPSS score of 85.40% and inclusion in both the CISA KEV catalog and the EU exploited vulnerabilities list are clear signals that this vulnerability is not merely theoretical — it is being leveraged by real threat actors. Organizations running affected SharePoint versions should treat patching as urgent, particularly for internet-facing or multi-tenant deployments.
Key Lessons:
- Privileged access is the new perimeter. Even "authenticated-only" vulnerabilities can have severe consequences when administrative accounts are insufficiently protected. MFA, privileged access workstations, and continuous credential monitoring are essential.
- EPSS + KEV together provide stronger prioritization signals than CVSS alone. A CVSS 7.2 might not always trigger immediate emergency patching, but the combination of a 99.7th-percentile EPSS score and active KEV listing should.
References
Frequently asked questions
- What is CVE-2023-24955?
- Microsoft SharePoint Server Remote Code Execution Vulnerability
- How severe is CVE-2023-24955?
- CVE-2023-24955 has a CVSS 3.x base score of 7.2, rated high severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-24955 being actively exploited?
- Yes. CVE-2023-24955 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-03-26, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-24955?
- CVE-2023-24955 primarily affects Microsoft Sharepoint Enterprise Server. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-24955?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-24955 have an EU (EUVD) identifier?
- Yes. CVE-2023-24955 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-28942. It is also flagged as exploited in the EUVD (since 2024-03-26).
- When was CVE-2023-24955 published?
- CVE-2023-24955 was published on 2023-05-09 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24955
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-24955
Affected products (3)
- cpe:2.3:a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:-:*:*:*:subscription:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Sharepoint Enterprise Server
- CVE-2020-1595 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from…
- CVE-2020-1210 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source…
- CVE-2023-21716 — Critical (CVSS 9.8): Microsoft Word Remote Code Execution Vulnerability
- CVE-2020-1025 — Critical (CVSS 9.8): An elevation of privilege vulnerability exists when Microsoft SharePoint Server and Skype for Business Server…
- CVE-2019-0604 — Critical (CVSS 9.8): A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup…
- CVE-2025-47172 — High (CVSS 8.8): Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint…
All CVEs affecting Microsoft Sharepoint Enterprise Server →
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.