CISA warns that attackers are actually exploiting a vital Microsoft SharePoint privilege escalation vulnerability that may be chained with one other vital bug for distant code execution.

Tracked as CVE-2023-29357, the safety flaw allows distant attackers to get admin privileges on unpatched servers by circumventing authentication utilizing spoofed JWT auth tokens.

“An attacker who has gained entry to spoofed JWT authentication tokens can use them to execute a community assault which bypasses authentication and permits them to realize entry to the privileges of an authenticated person,” Microsoft explains.

“An attacker who efficiently exploited this vulnerability might achieve administrator privileges. The attacker wants no privileges nor does the person have to carry out any motion.”

Distant attackers may execute arbitrary code on compromised SharePoint servers through command injection when chaining this flaw with the CVE-2023-24955 SharePoint Server distant code execution vulnerability.

This Microsoft SharePoint Server exploit chain was efficiently demoed by STAR Labs researcher Jang (Nguyễn Tiến Giang) throughout final yr’s March 2023 Pwn2Own contest in Vancouver, incomes a $100,000 reward.

The researcher printed a technical evaluation on September 25 describing the exploitation course of intimately.

Simply someday later, a safety researcher additionally launched a CVE-2023-29357 proof-of-concept exploit on GitHub.

Although the exploit doesn’t grant distant code execution on focused programs, since it is not an entire exploit for the chain demoed at Pwn2Own, its writer stated attackers might chain it with the CVE-2023-24955 bug themselves for RCE.

“The script outputs particulars of admin customers with elevated privileges and may function in each single and mass exploit modes,” the PoC exploit’s developer says.

“Nonetheless, to keep up an moral stance, this script doesn’t comprise functionalities to carry out RCE and is supposed solely for instructional functions and lawful and licensed testing.”

Since then, different PoC exploits for this chain have surfaced on-line, reducing the exploitation bar and permitting even lesser-skilled risk actors to deploy it in assaults.

Whereas it has but to supply extra particulars on CVE-2023-29357 lively exploitation, CISA added the vulnerability to its Identified Exploited Vulnerabilities Catalog and now requires U.S. federal companies to patch it by the top of the month, on January 31.