Microsoft's SharePoint on-premises ecosystem is facing an unprecedented security crisis that demands immediate attention from IT administrators worldwide. A cluster of critical remote code execution (RCE) and authentication-bypass vulnerabilities has created a perfect storm for organizations still running on-premises SharePoint deployments, with threat actors actively exploiting these flaws to gain complete control over enterprise systems.

The Critical Vulnerabilities Behind the Crisis

Recent security research has uncovered multiple severe vulnerabilities affecting SharePoint Server 2013, 2016, 2019, and Subscription Edition. The most critical among these include CVE-2023-29357, an elevation of privilege vulnerability with a CVSS score of 9.8, and CVE-2023-24955, a critical RCE flaw scoring 8.8. These vulnerabilities, when chained together, allow attackers to bypass authentication mechanisms and execute arbitrary code on vulnerable SharePoint servers.

What makes this situation particularly dangerous is the authentication bypass component, which enables unauthenticated attackers to gain administrative privileges without requiring valid credentials. Once elevated, attackers can leverage the RCE vulnerabilities to deploy web shells, establish persistent access, and move laterally through enterprise networks.

Active Exploitation in the Wild

Security researchers have observed multiple threat actor groups actively exploiting these vulnerabilities in real-world attacks. According to Microsoft's Threat Intelligence Center, these exploits are being used by both cybercriminal groups and state-sponsored actors targeting various sectors including government, healthcare, and financial services.

The attack patterns typically follow a predictable sequence:

  • Initial reconnaissance to identify vulnerable SharePoint instances
  • Exploitation of authentication bypass to gain administrative access
  • Deployment of web shells for persistent remote access
  • Lateral movement through the network to access sensitive data
  • Data exfiltration or deployment of additional malware

The Machine Key Rotation Imperative

One of the most critical aspects of this security crisis involves the machine key vulnerability. SharePoint uses machine keys for various cryptographic operations, including view state validation and forms authentication. When these keys are compromised or predictable, attackers can forge authentication tokens and bypass security controls.

Microsoft has emphasized that simply applying security patches is insufficient. Organizations must also rotate their machine keys to prevent attackers from using previously captured keys to maintain access to compromised systems. The rotation process involves:

  • Generating new cryptographic keys for the SharePoint farm
  • Updating web.config files across all servers
  • Ensuring consistency across the entire farm topology
  • Testing applications to verify proper functionality post-rotation

Failure to rotate machine keys leaves organizations vulnerable even after applying security patches, as attackers may have already captured valid keys during previous exploitation attempts.

Web Shell Detection and Removal

Security teams must immediately begin hunting for web shells on their SharePoint servers. These malicious scripts provide attackers with persistent remote access and are often disguised as legitimate SharePoint files. Common indicators of compromise include:

  • Unusual files in the _layouts, _catalogs, or TEMP directories
  • Files with unusual extensions (.ashx, .asmx) in unexpected locations
  • Recent file modifications matching known web shell patterns
  • Unusual network traffic from SharePoint servers
  • Unexpected processes running under SharePoint application pools

Advanced detection techniques should include:

  • File integrity monitoring for critical SharePoint directories
  • Behavioral analysis of IIS worker processes
  • Network traffic analysis for unusual outbound connections
  • Memory forensics to identify injected code

Comprehensive Patching Strategy

Organizations must implement a comprehensive patching strategy that addresses all aspects of this security crisis. The recommended approach includes:

Immediate Actions

  • Apply all available security updates for SharePoint Server
  • Rotate machine keys across the entire farm
  • Conduct thorough web shell hunting exercises
  • Review and harden server configurations
  • Implement network segmentation where possible

Medium-Term Security Enhancements

  • Deploy additional monitoring and detection capabilities
  • Conduct penetration testing to identify residual risks
  • Implement application whitelisting for SharePoint directories
  • Enhance logging and alerting for suspicious activities

Long-Term Security Posture

  • Evaluate migration to SharePoint Online where feasible
  • Implement regular security assessment schedules
  • Develop incident response playbooks for future incidents
  • Establish continuous monitoring for emerging threats

Impact on Different SharePoint Versions

The severity and exploitability of these vulnerabilities vary across different SharePoint versions:

SharePoint Server 2013: Most vulnerable due to being out of mainstream support, requiring additional security controls and potential migration planning.

SharePoint Server 2016: Critical updates available but organizations must ensure proper deployment across all servers in the farm.

SharePoint Server 2019: Latest on-premises version with comprehensive security updates, though still requires immediate attention.

SharePoint Subscription Edition: Receiving regular security updates but still vulnerable to the same attack vectors without proper patching.

Real-World Attack Scenarios

Security researchers have documented several real-world attack scenarios exploiting these vulnerabilities:

Scenario 1: Data Theft Campaign
Attackers used the authentication bypass to access confidential documents, then deployed web shells to maintain access and exfiltrate sensitive intellectual property over several weeks.

Scenario 2: Ransomware Deployment
Cybercriminal groups exploited the RCE vulnerabilities to deploy ransomware across enterprise networks, encrypting critical business data and demanding substantial payments.

Scenario 3: Espionage Operations
State-sponsored actors used these vulnerabilities to establish long-term access to government networks, collecting intelligence and monitoring communications.

Best Practices for SharePoint Security

Beyond immediate remediation, organizations should implement these security best practices:

Network Security

  • Implement strict firewall rules limiting unnecessary inbound traffic
  • Use network segmentation to isolate SharePoint servers
  • Deploy intrusion detection systems monitoring SharePoint traffic
  • Implement SSL/TLS inspection where appropriate

Server Hardening

  • Follow Microsoft's security baseline for SharePoint
  • Disable unnecessary services and features
  • Implement strict access controls using principle of least privilege
  • Regularly update underlying Windows Server components

Monitoring and Detection

  • Enable comprehensive auditing across all SharePoint servers
  • Implement security information and event management (SIEM) solutions
  • Deploy endpoint detection and response (EDR) capabilities
  • Establish regular security assessment schedules

The Future of SharePoint Security

This security crisis highlights the ongoing challenges of maintaining secure on-premises SharePoint deployments. Microsoft continues to invest in security improvements, but organizations must recognize that:

  • On-premises SharePoint requires significant security expertise and resources
  • Regular security assessments are essential for identifying vulnerabilities
  • Migration to cloud-based solutions may provide better security outcomes
  • The threat landscape continues to evolve, requiring continuous vigilance

Immediate Action Plan

For organizations currently running on-premises SharePoint, the following immediate actions are critical:

  1. Inventory Assessment: Identify all SharePoint servers in your environment
  2. Patch Deployment: Apply all relevant security updates immediately
  3. Key Rotation: Rotate machine keys across all servers in the farm
  4. Compromise Assessment: Conduct thorough investigations for signs of compromise
  5. Monitoring Enhancement: Implement additional security monitoring
  6. Incident Response: Prepare response plans for potential security incidents

Conclusion: A Call to Action

The SharePoint on-premises RCE crisis represents one of the most significant security challenges facing organizations in recent years. The combination of authentication bypass and remote code execution vulnerabilities creates a severe threat that demands immediate and comprehensive response.

Organizations that fail to address these vulnerabilities risk complete compromise of their SharePoint environments, potential data breaches, and significant business disruption. The time for action is now—patching, key rotation, and web shell hunting must be treated as urgent priorities for every organization running on-premises SharePoint.

The security community continues to monitor this situation closely, and additional guidance may emerge as new information becomes available. However, the current recommendations provide a clear path to securing vulnerable environments and protecting against ongoing threats.