Threats / Microsoft / CVE-2023-29357
CVE-2023-29357
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Microsoft SharePoint Server vulnerability
Microsoft SharePoint Server vulnerability allows unauthenticated attackers with spoofed JWT tokens to bypass authentication and gain administrator privileges, enabling network attacks.
Verdict
Today item, not a backlog item.
An authentication bypass flaw in SharePoint Server permits attackers holding forged JWT credentials to escalate to administrative access without legitimate credentials, facilitating unauthorized system compromise and data exfiltration.
CISA KEV Yes · 2024-01-103Ransomware use Flagged3EPSS 0.99618 (verify live)4Exploit Weaponized · public PoC5
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
507 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2024-01-10), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.99618 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Microsoft, SharePoint Server. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-303 CWE-303 — weakness family: Authentication.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I obtain or forge JWT authentication tokens through credential theft or cryptographic weakness.
Business
Attackers gain entry to SharePoint infrastructure without legitimate user credentials, circumventing perimeter security controls.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I present the spoofed JWT tokens to SharePoint Server to bypass authentication mechanisms.
Business
Authentication systems fail to validate token legitimacy, allowing unauthorized access to proceed unchallenged.
3
Lateral reach — past segmentation narrative 3
Attacker
I escalate my access level to administrator privileges within the compromised SharePoint instance.
Business
Attackers gain full administrative control over document repositories, user accounts, and system configurations.
4
Data at risk — exfiltration narrative 4
Attacker
I exfiltrate sensitive documents, deploy malware, or establish persistence mechanisms across the SharePoint environment.
Business
Confidential business data is stolen, systems are compromised for ransomware deployment, and organizational operations are disrupted.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05