CVE-2023-29357, CVE-2023-24955: Exploit Chain Released for...

CVE-2023-29357, CVE-2023-24955: Exploit Chain Released for Microsoft SharePoint Server Vulnerabilities

On September 25, STAR Labs researcher Nguyễn Tiến Giang (Jang) published a blog post outlining the successful chaining of CVE-2023-29357 and CVE-2023-24955 to achieve remote code execution (RCE) against Microsoft SharePoint Server. The exploit chain was demonstrated at the Zero Day Initiative’s (ZDI) Pwn2Own contest held in Vancouver in March. A day later on September 26, a proof-of-concept (PoC) for the exploit chain was released on GitHub.

While the authors of the PoC point out that RCE is not achievable with the current version of the PoC in order to “maintain an ethical stance,” malicious actors often take advantage of public PoC code and incorporate them into attack tools. We strongly recommend patching these vulnerabilities as soon as possible.

For more information on these vulnerabilities and the Tenable product coverage available to identify affected assets, please visit our blog.

Cyber Exposure Alerts

Vulnerability Watch

Forum Discussion

CVE-2023-29357, CVE-2023-24955: Exploit Chain Released for...

Recent Discussions

FAQ on Exploited Zero-Day Flaws in Cisco ASA and FTD Devices (CVE-2025-20333, CVE-2025-20362)

Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)

Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks

CVE-2025-7775: Citrix NetScaler ADC and Gateway Zero-Day RCE Vulnerability Exploited in the Wild

CVE-2025-25256: Proof of Concept Released for Fortinet FortiSIEM Command Injection Vulnerability

Americas

Europe

Asia / Australia