Critical Zero-Day Vulnerability Detected in Microsoft SharePoint
Microsoft has confirmed a critical zero-day vulnerability in SharePoint Server, tracked as CVE-2023-29357, which is currently being exploited in the wild. This spoofing vulnerability allows attackers to escalate privileges and impersonate privileged users—gaining unauthorized access to sensitive systems and data.
This issue impacts multiple versions of Microsoft SharePoint Server, making it a significant risk for enterprises relying on SharePoint for collaboration, document management, and workflow automation.
What Is CVE-2023-29357?
-
Type: Spoofing vulnerability leading to privilege escalation
-
Severity: Critical (CVSS Score: 9.8)
-
Exploit Status: Active exploitation observed
-
Impact: Unauthorized administrator-level access without credentials
-
Cause: Improper validation of JSON Web Tokens (JWTs)
Who Is at Risk?
Organizations running unpatched or outdated versions of Microsoft SharePoint Server—especially self-hosted or hybrid environments—are vulnerable to this exploit. Attackers can bypass authentication mechanisms, gain elevated access, and potentially move laterally within an organization’s network.
What Are the Recommendations?
Barracuda, a renowned cybersecurity solution provider recommends the following immediate actions to mitigate this threat:
1. Apply Emergency Microsoft Updates
-
For SharePoint Server 2019:
-
KB5002754 (Core)
-
KB5002753 (Language Pack)
-
-
For SharePoint Enterprise Server 2016:
-
KB5002760 (Core)
-
KB5002759 (Language Pack)
-
-
For SharePoint Subscription Edition:
-
KB5002768
-
2. Rotate SharePoint Machine Keys After Applying Patches
-
Using PowerShell:
-
Generate keys:
Set-SPMachineKey -WebApplication <SPWebApplicationPipeBind> -
Deploy keys:
Update-SPMachineKey -WebApplication <SPWebApplicationPipeBind>
-
-
Using Central Admin:
-
Go to Central Administration > Monitoring > Review job definitions
-
Locate Machine Key Rotation Job and select Run Now
-
After completion, run
iisreset.exeon all SharePoint servers
-
3. Check for Signs of Exploitation
-
Look for:
-
The creation of:
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx -
IIS logs showing POST requests to:
_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
with HTTP referrer_layouts/SignOut.aspx
-
-
Run the following Microsoft 365 Defender query:
kusto
DeviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx" or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
4. Reduce External Exposure and Monitor Activity
-
Restrict internet exposure of SharePoint servers using:
-
Firewalls
-
VPNs
-
Zero-trust access controls
-
-
Enable detailed SharePoint logging
-
Monitor for:
-
Unusual file uploads or web shell activity
-
Unexpected changes or connections from suspicious IPs
-
5. Isolate Critical Infrastructure
-
Separate SharePoint servers from critical internal systems to reduce the impact of a breach
-
Reinforce patch management processes and employee awareness of vulnerabilities
How ITCS and Barracuda Can Help
As a certified Barracuda partner, ITCS helps organizations respond quickly and effectively to zero-day threats through:
-
Advanced threat protection and monitoring
-
Automated patch management and vulnerability scanning
-
Secure SharePoint backup and cloud continuity solutions
-
Strategic threat response planning and training
Our team is ready to assess your SharePoint environment and implement Barracuda-powered mitigation strategies tailored to your organization’s needs.
Take Action Now
This zero-day vulnerability presents a serious risk. ITCS is here to help you:
-
Assess your exposure
-
Apply the right patches
-
Secure your SharePoint environment against future threats
Contact us today for a free consultation or emergency assessment.
Visit: www.itcs.com.pk
Email: info@itcs.com.pk
Advanced threat protection Barracuda Barracuda cybersecurity solutions Barracuda partner in Pakistan for SharePoint security CVE-2023-29357 Detecting SharePoint exploit in IIS logs Enterprise SharePoint security How to fix CVE-2023-29357 in SharePoint How to rotate SharePoint machine keys IIS log threat detection ITCS cybersecurity services Microsoft 365 Defender threat query Microsoft SharePoint exploit Microsoft SharePoint vulnerability Pakistan IT services company Patch management for SharePoint PowerShell patching SharePoint SharePoint 2016 and 2019 vulnerability fix SharePoint data protection SharePoint emergency update SharePoint incident response SharePoint machine key rotation SharePoint privilege escalation SharePoint security patch July 2025 SharePoint security risk SharePoint server hardening SharePoint server monitoring tools SharePoint server patch July 2025 SharePoint spoofing vulnerability SharePoint zero-day Steps to mitigate SharePoint spoofing flaw What is the latest SharePoint zero-day Zero-day vulnerability Microsoft
