CVE-2023-29357

CRITICAL KEV RANSOMWARE NUCLEI

Sharepoint Dynamic Proxy Generator Unauth RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2023-29357 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 10, 2024, with confirmed use in ransomware campaigns. EIP tracks 8 public exploits from researchers including Chocapikk, LuemmelSec, Guillaume-Risch. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2023-29357, a privilege escalation vulnerability in Microsoft SharePoint Server. The exploit impersonates authenticated users by crafting a JWT token with spoofed claims, allowing elevation to admin privileges.

Description

Microsoft SharePoint Server Elevation of Privilege Vulnerability

Exploits (8)

nomisec WORKING POC 235 stars
by Chocapikk · remote
https://github.com/Chocapikk/CVE-2023-29357

This repository contains a functional Python exploit for CVE-2023-29357, a privilege escalation vulnerability in Microsoft SharePoint Server. The exploit impersonates authenticated users by crafting a JWT token with spoofed claims, allowing elevation to admin privileges.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint Server
Auth required
Prerequisites: Valid SharePoint URL · Authenticated user session · Python 3.8+ with required dependencies
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 53 stars
by LuemmelSec · remote
https://github.com/LuemmelSec/CVE-2023-29357

This repository contains a functional C# exploit for CVE-2023-29357, which targets a SharePoint authentication bypass vulnerability. The exploit fetches the Realm, forges a JWT to authenticate as app@sharepoint, and impersonates users with SiteAdmin privileges.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint
No auth needed
Prerequisites: Access to the SharePoint instance · Network connectivity to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 4 stars
by Guillaume-Risch · poc
https://github.com/Guillaume-Risch/cve-2023-29357-Sharepoint

The repository provides minimal details about CVE-2023-29357, focusing on environment setup and pointing to an external GitHub repository for the actual exploit. It lacks technical depth or exploit code, instead offering vague instructions and download links.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: SharePoint (Windows Server 2016 with SharePoint 2019)
Auth required
Prerequisites: SharePoint environment · Vagrant setup
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SUSPICIOUS 2 stars
by KeyStrOke95 · poc
https://github.com/KeyStrOke95/CVE-2023-29357-ExE

The repository lacks actual exploit code and only provides a vague usage example with a screenshot link. No technical details or code are included, making it a potential lure.

Classification
Suspicious 90%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: Microsoft SharePoint
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER 1 stars
by Jev1337 · remote
https://github.com/Jev1337/CVE-2023-29357-Check

The repository contains a Python script that checks if a Microsoft SharePoint Server is vulnerable to CVE-2023-29357 by attempting to exploit an authentication bypass via a crafted JWT token. It does not execute arbitrary code but confirms vulnerability status.

Classification
Scanner 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint Server
No auth needed
Prerequisites: Network access to the SharePoint Server · Valid URL of the target SharePoint instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by DonVorrin · remote
https://github.com/DonVorrin/CVE-2023-29357

This exploit demonstrates CVE-2023-29357, a SharePoint spoofing vulnerability, by crafting JWT tokens with 'alg: none' to impersonate admin users. It authenticates and spoofs admin identities via SharePoint's API endpoints.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint
No auth needed
Prerequisites: SharePoint instance URL · network access to target
devstral-2 · analyzed Apr 14, 2026 Full analysis →
nomisec WRITEUP
by DeividasTerechovas · poc
https://github.com/DeividasTerechovas/SOC227-Microsoft-SharePoint-Server-Elevation-of-Privilege-Possible-CVE-2023-29357-Exploitation

This repository provides a detailed SOC case analysis of CVE-2023-29357, a privilege escalation vulnerability in Microsoft SharePoint Server. It includes log analysis, process investigation, and response procedures but lacks functional exploit code.

Classification
Writeup 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Microsoft SharePoint Server
Auth required
Prerequisites: Access to SharePoint Server · Valid credentials or initial access
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Microsoft SharePoint - Authentication Bypass
CRITICALVERIFIEDby pdteam
Shodan: http.headers_hash:-1968878704 || cpe:"cpe:2.3:a:microsoft:sharepoint_server"
FOFA: app="Microsoft-SharePoint" || app="microsoft-sharepoint"

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.9436
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2024-01-10
VulnCheck KEV 2023-11-16
InTheWild.io 2024-01-10
ENISA EUVD EUVD-2023-32930
Ransomware Use Confirmed
CWE
CWE-303
Status published
Products (1)
microsoft/sharepoint_server 2019
Published Jun 14, 2023
KEV Added Jan 10, 2024
Tracked Since Feb 18, 2026