CVE-2023-29357
CVE-2023-29357 is a critical-severity vulnerability in Microsoft Sharepoint Server with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-01-10). The underlying weakness is classified as CWE-303.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-01-10)
- EU (EUVD) id: EUVD-2023-32930
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-01-10)
- Weakness: CWE-303
- Affected product: Microsoft Sharepoint Server
- Published:
- Last modified:
Description
Microsoft SharePoint Server Elevation of Privilege Vulnerability
CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2023-29357 |
| CVSS v3 | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-303 — Incorrect Authentication or Authorization |
| EPSS | 0.99649 (99.95th percentile) |
| KEV | Yes (added 2024-01-10) |
| Affected Product | Microsoft SharePoint Server 2019 |
Summary
A critical elevation of privilege vulnerability in Microsoft SharePoint Server 2019 enables unauthenticated attackers on the network to bypass authentication/authorization controls and gain elevated privileges, resulting in high impact to confidentiality, integrity, and availability.
Background
Microsoft SharePoint Server is an on-premises enterprise collaboration and document management platform widely deployed in corporate environments. It provides web-based portals, document libraries, and team sites integrated with Active Directory. CVE-2023-29357 affects the SharePoint Server 2019 on-premises product line.
Root Cause
The vulnerability is classified under CWE-303: Incorrect Authentication or Authorization. The root cause lies in the SharePoint Server's authentication/authorization logic, which improperly validates or enforces access controls under certain conditions. This allows an attacker to escalate privileges without presenting valid credentials or by bypassing intended authorization checks. The exact code path is not publicly disclosed, but the weakness category points to a failure in the authentication/authorization pipeline.
Impact
- CVSS v3 Score: 9.8 (Critical)
- Attack Vector (AV): Network — exploitable remotely without local access.
- Attack Complexity (AC): Low — no special conditions or advanced techniques required.
- Privileges Required (PR): None — the attacker does not need valid credentials.
- User Interaction (UI): None — no victim action is needed.
- Scope (S): Unchanged — the vulnerable component is the only one impacted.
- Confidentiality (C): High — sensitive data can be accessed.
- Integrity (I): High — data and configuration can be modified.
- Availability (A): High — service disruption is possible.
This combination makes the vulnerability trivially exploitable over the network with full impact on the SharePoint Server and its underlying data.
Exploitation Walkthrough
Ethics caveat: This section provides generic, defensive awareness only. No weaponized exploit code or step-by-step attack instructions are included. The goal is to help defenders understand the attack surface.
An attacker positioned on the network (or with internet access if SharePoint is exposed) sends a crafted HTTP request to a SharePoint endpoint that triggers the authentication/authorization bypass. The request is designed to exploit the improper validation logic in the SharePoint authentication pipeline, allowing the attacker to act with elevated privileges. Because the attack requires no authentication and no user interaction, automated exploitation tools can scan for and target exposed SharePoint instances at scale.
Defenders should monitor for:
- Unusual HTTP requests to SharePoint API endpoints from unexpected source IPs.
- Requests to authentication-related endpoints that result in elevated access or administrative actions.
- Bursts of 401/403 responses followed by successful 200 responses from the same source, which may indicate a bypass attempt.
Affected and Patched Versions
- Affected: Microsoft SharePoint Server 2019 (confirmed via CPE data:
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*). - Patched versions: Not specified in the available structured data. Refer to the Microsoft Security Response Center (MSRC) advisory for the specific security update and build numbers.
Remediation
- Patch immediately: Apply the Microsoft security update referenced in the MSRC advisory for CVE-2023-29357. Given the EPSS and KEV status, this should be treated as an emergency patch.
- Network segmentation: Restrict network access to SharePoint Server endpoints to authorized internal users and VPN-only segments. Do not expose SharePoint management interfaces to the internet.
- Web Application Firewall (WAF): Deploy WAF rules to detect and block anomalous requests targeting SharePoint authentication endpoints.
- Compensating controls: Enforce multi-factor authentication (MFA) for all administrative accounts where technically feasible. Review and harden SharePoint service account permissions.
- Monitoring: Enable detailed logging on SharePoint IIS and application logs. Forward logs to a SIEM for correlation and alerting.
Detection
- SIEM / Log monitoring: Alert on successful administrative actions from non-administrative source IPs or service accounts.
- Network monitoring: Flag unexpected outbound connections from the SharePoint server or inbound connections from unusual geographic locations.
- Vulnerability scanning: Use authenticated and unauthenticated scans to verify the SharePoint build version and patch status.
- File integrity monitoring: Track changes to SharePoint configuration files and web.config that may indicate post-exploitation activity.
Assessment
- EPSS: 0.99649 with a 99.95th percentile ranking indicates near-certain exploitation probability in the wild. This is one of the highest EPSS scores observed and demands immediate action.
- KEV: The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, added on 2024-01-10, and is also flagged as EU-exploited (EUVD-2023-32930). Active exploitation is confirmed by multiple government agencies.
- Ransomware: The vulnerability has been associated with ransomware campaigns, elevating the business risk beyond data theft to operational paralysis.
Lessons:
- Authentication/authorization flaws are high-value targets: Enterprise collaboration platforms like SharePoint hold sensitive documents and are often reachable from the network, making authentication bypasses especially dangerous.
- EPSS + KEV should drive triage: When EPSS exceeds 0.99 and KEV is confirmed, patching should bypass normal change-control windows and be treated as an incident-response activity.
References
Frequently asked questions
- What is CVE-2023-29357?
- Microsoft SharePoint Server Elevation of Privilege Vulnerability
- How severe is CVE-2023-29357?
- CVE-2023-29357 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-29357 being actively exploited?
- Yes. CVE-2023-29357 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-01-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-29357?
- CVE-2023-29357 affects Microsoft Sharepoint Server. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-29357?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-29357 have an EU (EUVD) identifier?
- Yes. CVE-2023-29357 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-32930. It is also flagged as exploited in the EUVD (since 2024-01-10).
- When was CVE-2023-29357 published?
- CVE-2023-29357 was published on 2023-06-14 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-29357
Affected products (1)
- cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Sharepoint Server
- CVE-2013-1330 — Critical (CVSS 10.0): The default configuration of Microsoft SharePoint Portal Server 2003 SP3, SharePoint Server 2007 SP3 and 2010 SP1 and…
- CVE-2020-1595 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from…
- CVE-2020-1210 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source…
- CVE-2026-20963 — Critical (CVSS 9.8): Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a…
- CVE-2025-53770 — Critical (CVSS 9.8): Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute…
- CVE-2023-21716 — Critical (CVSS 9.8): Microsoft Word Remote Code Execution Vulnerability
All CVEs affecting Microsoft Sharepoint Server →
Other CWE-303 vulnerabilities
- CVE-2025-13390 — Critical (CVSS 10.0): The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including,…
- CVE-2025-12421 — Critical (CVSS 9.9): Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that…
- CVE-2025-12419 — Critical (CVSS 9.9): Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly…
- CVE-2025-66489 — Critical (CVSS 9.8): Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker…
- CVE-2025-21311 — Critical (CVSS 9.8): Windows NTLM V1 Elevation of Privilege Vulnerability
- CVE-2024-10127 — Critical (CVSS 9.8): Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of…