CVE-2023-24955 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-24955?

CVE-2023-24955 has a CVSS score of 7.2 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Microsoft SharePoint Server by sending specially crafted requests. It affects organizations running vulnerable SharePoint Server versions, potentially enabling complete system compromise.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Microsoft SharePoint Server by sending specially crafted requests. It affects organizations running vulnerable SharePoint Server versions, potentially enabling complete system compromise.

💻 Affected Systems

Products:

Microsoft SharePoint Server

Versions: Multiple versions - check Microsoft advisory for specific affected versions

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: All default SharePoint Server configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, ransomware deployment, lateral movement across network, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to SharePoint data, privilege escalation, and installation of web shells for ongoing access.

🟢

If Mitigated

Limited impact with proper network segmentation, application firewalls, and least privilege configurations in place.

🌐 Internet-Facing: HIGH - SharePoint servers often face the internet for collaboration, making them prime targets for exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this, but requires network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication, but standard user credentials may be sufficient. Microsoft rates this as 'Exploitation More Likely'.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft's monthly security updates for specific patch versions

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24955

Restart Required: Yes

Instructions:

1. Apply latest Microsoft security updates for SharePoint Server. 2. Restart SharePoint services. 3. Test functionality after patching.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to SharePoint servers using firewalls

Authentication Hardening

all

Implement multi-factor authentication and strong password policies

🧯 If You Can't Patch

Isolate SharePoint servers in separate network segments with strict firewall rules
Implement web application firewall (WAF) with SharePoint-specific rules

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version against Microsoft's security bulletin for affected versions

Check Version:

Get-SPFarm | Select BuildVersion (PowerShell on SharePoint server)

Verify Fix Applied:

Verify SharePoint Server version matches or exceeds patched version in Microsoft advisory

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns
Suspicious file uploads to SharePoint
Unexpected process execution

Network Indicators:

Unusual outbound connections from SharePoint servers
Suspicious HTTP requests to SharePoint endpoints

SIEM Query:

source="sharepoint" AND (event_id=6398 OR event_id=6399) AND (process_execution OR file_upload)

📊 Metadata

CVE ID: CVE-2023-24955

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: May 9, 2023

Last Updated: October 28, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24955 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24955 Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-24955 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24955, you might also want to check these: