ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Microsoft SharePoint Exploit Attempt - CVE-2023-29357

Risk Factors

This vulnerability is easy to exploit. An unauthenticated attacker can bypass authentication, escalate privileges, and gain control of a device, launching further attacks on the network.

Kill Chain

Exploitation

Risk Score

88

Detection diagram
Next in Exploitation: MobileIron Core and Connector Exploit Attempt - CVE-2020-15505

Attack Background

Administrators can enable Open Authorization version 2.0 (OAuth 2.0) on Microsoft SharePoint Server to authorize access to restricted pages. OAuth is a token-based workflow that enables third-party services to access restricted pages by exchanging tokens. When Oauth 2.0 is enabled, SharePoint has a token validation vulnerability that allows an attacker to bypass authentication and perform actions on the server. To exploit this vulnerability, the attacker sends the SharePoint server a malicious HTTP request with a forged JSON Web Token (JWT) to impersonate a system administrator. JWT is an open source industry standard for sharing information between clients and servers. The vulnerable SharePoint server validates the JWT and the attacker can install malware, run commands, or collect information.

Mitigation Options

Install patches for relevant versions
Enable the AMSI integration feature and implement Microsoft Defender across their SharePoint Server farms

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right