CVE-2023-29357 – CVE-2023-29357 is a critical elevation of privi... (How to Fix)

Q: What is the severity of CVE-2023-29357?

CVE-2023-29357 has a CVSS score of 9.8 (CRITICAL). CVE-2023-29357 is a critical elevation of privilege vulnerability in Microsoft SharePoint Server that allows attackers to bypass authentication and gain administrative access. This affects organizations running vulnerable SharePoint Server versions, potentially exposing sensitive data and systems. The vulnerability is particularly dangerous because it can be exploited without authentication.

📋 TL;DR

CVE-2023-29357 is a critical elevation of privilege vulnerability in Microsoft SharePoint Server that allows attackers to bypass authentication and gain administrative access. This affects organizations running vulnerable SharePoint Server versions, potentially exposing sensitive data and systems. The vulnerability is particularly dangerous because it can be exploited without authentication.

💻 Affected Systems

Products:

Microsoft SharePoint Server
Microsoft SharePoint Foundation

Versions: SharePoint Server 2019, SharePoint Server 2016, SharePoint Server 2013 Service Pack 1

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: All supported versions of SharePoint Server are affected. SharePoint Online is not affected.

📦 What is this software?

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SharePoint Server with administrative privileges, enabling data theft, ransomware deployment, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Unauthenticated attackers gaining administrative access to SharePoint sites, accessing sensitive documents, user credentials, and potentially pivoting to other enterprise systems.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication requirements, and monitoring in place, though risk remains significant until patched.

🌐 Internet-Facing: HIGH - Internet-facing SharePoint servers are directly exploitable without authentication, making them prime targets for attackers.

🏢 Internal Only: HIGH - Even internally accessible SharePoint servers are vulnerable to attackers who gain initial access through other means or insider threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward and has been observed in the wild. Attackers can chain this with other vulnerabilities for greater impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2023 security updates or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357

Restart Required: Yes

Instructions:

1. Apply the May 2023 security updates for SharePoint Server from Microsoft Update. 2. Restart the SharePoint servers. 3. Test functionality after patching. 4. Consider applying additional security updates if behind on patching.

🔧 Temporary Workarounds

Disable Anonymous Authentication

windows

Configure SharePoint to require authentication for all access, reducing attack surface

Configure in SharePoint Central Administration > Security > Configure anonymous access

Network Segmentation

all

Restrict access to SharePoint servers using firewalls and network controls

🧯 If You Can't Patch

Isolate SharePoint servers from internet access and restrict internal network access
Implement strict monitoring and alerting for suspicious authentication attempts and privilege escalation activities

🔍 How to Verify

Check if Vulnerable:

Check SharePoint version and patch level. If running SharePoint Server 2013 SP1, 2016, or 2019 without May 2023 security updates, you are vulnerable.

Check Version:

Get-SPFarm | Select BuildVersion (PowerShell) or check Central Administration > Upgrade and Migration > Check product and patch installation status

Verify Fix Applied:

Verify that May 2023 security updates are installed via Windows Update history or by checking SharePoint version/build numbers.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns
Unexpected administrative privilege assignments
Suspicious SharePoint API calls

Network Indicators:

Unusual traffic patterns to SharePoint authentication endpoints
Requests bypassing normal authentication flows

SIEM Query:

source="sharepoint" AND (event_id=4624 OR event_id=4625) AND (privileges_assigned="Administrator" OR target_user="*admin*")

📊 Metadata

CVE ID: CVE-2023-29357

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-303

Published: June 14, 2023

Last Updated: October 28, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357 Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-29357 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29357, you might also want to check these: