April 2026 Patch Tuesday: Analyzing Actively Exploited SharePoint

April 2026 Patch Tuesday: Analyzing Actively Exploited SharePoint

The April 2026 Patch Tuesday addresses critical vulnerabilities in Microsoft SharePoint Server, notably including actively exploited flaws like CVE-2023-24955, a remote code execution vulnerability, and CVE-2023-29357, an elevation of privilege vulnerability. These security updates are imperative for organizations leveraging SharePoint, as successful exploitation allows attackers to execute arbitrary code with elevated privileges, potentially leading to full system compromise, data exfiltration, and further network penetration. Both CVEs have been actively exploited in the wild and are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency of applying the provided patches.

CVE-2023-24955: Remote Code Execution via SharePoint Server

CVE-2023-24955 represents a severe Remote Code Execution (RCE) vulnerability within Microsoft SharePoint Server, stemming from improper control of code generation (CWE-94). This flaw allows an authenticated attacker with Site Owner privileges to inject and execute arbitrary code on the affected SharePoint server. While requiring high privileges, the attack can be executed remotely over the network without user interaction, making it a critical threat, especially in environments where multiple users possess elevated SharePoint permissions.

Exploitation Vector and Impact

The exploitation chain for CVE-2023-24955 typically involves a malicious payload embedded within a crafted request. Attackers leverage the improper validation and sanitization of user-controlled input within SharePoint's processing logic. Upon successful exploitation, the attacker can achieve complete compromise of confidentiality, integrity, and availability of the affected system. This vulnerability has been observed in real-world attacks, often as part of a larger chain, contributing to its inclusion in the CISA KEV catalog.

A common post-exploitation technique involves the deployment of web shells, such as spinstall0.aspx, to establish persistence and exfiltrate sensitive data. These web shells are often designed to retrieve cryptographic secrets, including ValidationKeys and DecryptionKeys, known as ASP.NET MachineKey data. Once stolen, these keys enable attackers to forge valid authentication tokens and sign malicious __VIEWSTATE payloads, granting persistent access even after the initial vulnerability is patched. This sophisticated approach allows attackers to bypass traditional security mechanisms and maintain a foothold within the compromised environment.

# Example of a simplified (pseudo) HTTP POST request to exploit a deserialization vulnerability
# Note: Real exploitation involves complex serialized payloads and specific endpoints.
# This is illustrative and not a working exploit.

POST /_layouts/15/ToolPane.aspx HTTP/1.1
Host: vulnerable-sharepoint.contoso.com
User-Agent: Mozilla/5.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Referer: https://vulnerable-sharepoint.contoso.com/_layouts/SignOut.aspx
Content-Length: [Calculated_Length]

__VIEWSTATEGENERATOR=D3E9E0B0&__VIEWSTATE=[MALICIOUS_SERIALIZED_PAYLOAD_BASE64_ENCODED]

The Referer: /_layouts/SignOut.aspx header is often used in observed attacks to circumvent authentication mechanisms. The __VIEWSTATE payload, when crafted with stolen MachineKeys, is then deserialized by SharePoint, triggering arbitrary command execution.

Mitigation and Detection for CVE-2023-24955

Immediate application of the April 2026 security updates is paramount. Organizations should also ensure that Antimalware Scan Interface (AMSI) integration is enabled in SharePoint and that Microsoft Defender Antivirus (or equivalent) is deployed and configured in Full Mode on all SharePoint servers. Rotating SharePoint server ASP.NET machine keys is a critical post-exploitation mitigation step to invalidate stolen keys and evict attackers. Regularly auditing site owner privileges and minimizing their distribution can reduce the attack surface. Detecting exploitation attempts requires vigilant monitoring of SharePoint ULS logs, IIS logs, and network traffic for unusual POST requests to endpoints like /_layouts/15/ToolPane.aspx, especially those with suspicious Referer headers or abnormally large __VIEWSTATE payloads.

CVE-2023-29357: Elevation of Privilege in SharePoint Server

CVE-2023-29357 is a critical elevation of privilege vulnerability affecting Microsoft SharePoint Server. This flaw, with a CVSS score of 9.8, allows an unauthenticated attacker to bypass authentication checks and gain administrative privileges by leveraging spoofed JSON Web Tokens (JWT). The vulnerability stems from improper authentication handling (CWE-303: Incorrect Implementation of Authentication Algorithm), allowing attackers to impersonate legitimate users without any prior authentication or user interaction.

Exploitation Mechanism and Impact

Attackers can exploit CVE-2023-29357 remotely by sending maliciously crafted JWT authentication tokens to a vulnerable SharePoint Server instance. The server fails to properly validate these tokens, granting the attacker the privileges of an authenticated user, potentially leading to full administrative access. This vulnerability is particularly dangerous because it does not require special conditions like race conditions or specific configurations, making it highly exploitable across affected deployments. Successful exploitation can lead to unauthorized access to sensitive documents, modification or deletion of content, deployment of malicious code, and lateral movement within the organization's network.

This vulnerability is frequently chained with RCE flaws like CVE-2023-24955 to achieve pre-authentication remote code execution, allowing an unauthenticated attacker to completely compromise the system. More details on authentication bypass vulnerabilities can be found in our broken authentication guide, which explores common weaknesses and remediation strategies.

Mitigation and Detection for CVE-2023-29357

Applying the latest security updates, specifically those released in April 2026 that address CVE-2023-29357, is the primary mitigation. Organizations should also review authentication logs for any suspicious JWT token usage or unauthorized access attempts. Monitoring for access to sensitive API endpoints, such as /_api/web/siteusers or /_api/web/currentuser with HTTP status code 200, from unusual source IPs or user agents can indicate exploitation attempts.

# Example of Splunk query for detecting potential CVE-2023-29357 exploitation attempts
# This query monitors for specific API calls indicative of privilege escalation attempts.

| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
  WHERE Web.url IN ("/_api/web/siteusers*", "/_api/web/currentuser*") Web.status=200 Web.http_method=GET
  BY Web.http_user_agent, Web.status, Web.http_method, Web.url, Web.src, Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`

This type of query helps identify successful access to user enumeration endpoints, which is a common post-exploitation step for privilege escalation.

Shared Exploitation Characteristics and Post-Exploitation Tactics

The active exploitation of these SharePoint vulnerabilities highlights several common attacker tactics, techniques, and procedures (TTPs). Initial access, often unauthenticated, is quickly leveraged to establish persistence and move laterally within the network. Threat actors frequently deploy web shells (e.g., spinstall0.aspx) and steal ASP.NET MachineKeys to maintain access, even after initial patches are applied.

Post-exploitation activities observed include extensive discovery commands (e.g., whoami, enumerating user context), abuse of cmd.exe and batch scripts, disabling security solutions (e.g., Microsoft Defender via registry modifications), and establishing persistence through scheduled tasks or manipulation of Internet Information Services (IIS) components. Some sophisticated attacks involve deploying malicious IIS modules for deep, persistent access that can survive patches and reboots.

Credential theft, often targeting cryptographic keys or user credentials via tools like Mimikatz, is a prevalent step, followed by lateral movement using protocols like NTLM, SMB, RDP, and PsExec. Attackers may also leverage compromised service accounts to escalate privileges and pivot into hybrid environments. The ultimate objectives often range from espionage and data exfiltration to ransomware deployment, as observed with groups like Storm-2603 deploying Warlock ransomware.

Patching and Remediation Strategy

Timely application of security updates is the most critical step in mitigating these actively exploited SharePoint vulnerabilities. Organizations must prioritize the installation of the April 2026 Patch Tuesday updates across all affected SharePoint Server instances.

A structured remediation strategy should include:

1. Identification: Accurately identify all on-premises SharePoint Server deployments, including their versions and patch levels.
2. Backup: Perform full backups of SharePoint farms and SQL databases before applying any patches.
3. Testing: Apply patches in a test environment mirroring production to identify any compatibility or functional issues.
4. Deployment: Deploy patches to production environments following established change management procedures. Restarting IIS services after applying updates is often required.
5. Post-Patching Verification: Verify successful patch installation by checking SharePoint version numbers and monitoring system health.
6. Machine Key Rotation: Rotate ASP.NET machine keys across the SharePoint farm to invalidate any keys potentially stolen during an exploitation attempt. This is crucial for evicting attackers who rely on forged authentication tokens.
7. Antimalware and AMSI: Ensure AMSI integration is enabled and configured in Full Mode, and that endpoint detection and response (EDR) solutions are deployed on all SharePoint servers.

Proactive Defense and Attack Surface Management

Beyond immediate patching, a proactive security posture is essential for defending SharePoint deployments. This involves continuous attack surface management and robust vulnerability scanning. Tools like Secably provide external attack surface management (EASM) capabilities, allowing organizations to discover and monitor internet-facing SharePoint instances, identify misconfigurations, and track their exposure to known vulnerabilities. The Secably EASM API can be integrated into existing security workflows for automated asset discovery and vulnerability intelligence.

Internet-wide scanning platforms, such as Zondex, can help identify publicly exposed SharePoint services and potential entry points that might be targeted by threat actors. Regular vulnerability assessments, both authenticated and unauthenticated, are crucial for identifying weaknesses before attackers do. Organizations can also start a free EASM scan to gain immediate visibility into their exposed SharePoint assets.

Hardening SharePoint deployments involves several key practices:

• Least Privilege: Implement strict role-based access control (RBAC), granting users and service accounts only the minimum necessary permissions. Regularly audit permissions to prevent permission creep.
• Network Segmentation: Isolate SharePoint servers within network segments and restrict unnecessary inbound and outbound connections, particularly to SQL Server ports (TCP 1433, UDP 1444) from non-SharePoint servers.
• Authentication: Enforce multi-factor authentication (MFA) for all privileged SharePoint accounts and external users. Configure secure authentication methods and consider conditional access policies.
• External Sharing Management: Carefully manage external sharing settings at the tenant and site levels, disabling anonymous links or setting strict expiration policies where possible.
• Configuration Hardening: Review and tighten tenant-level sharing settings, restrict external sharing by domain, and control access from unmanaged devices.
• Encryption: Ensure data is encrypted both at rest and in transit using SSL/TLS.

Detection and Incident Response

Effective detection and incident response capabilities are critical for minimizing the impact of SharePoint compromises. This requires comprehensive logging, proactive monitoring, and well-defined response procedures.

Key areas for detection and monitoring include:

• Diagnostic Logging: Configure SharePoint diagnostic logging to capture detailed information about the farm environment, including ULS logs, event logs, and usage and health data. Adjust logging levels to verbose during investigations.
• IIS Logs: Analyze IIS logs for suspicious HTTP requests, particularly to sensitive endpoints, unusual user agents, and large or malformed POST requests.
• Security Event Logs: Monitor Windows Security Event Logs for anomalous account activity, service modifications, and process creation events.
• SIEM Integration: Integrate SharePoint logs with a Security Information and Event Management (SIEM) system for centralized logging, correlation, and alerting.
• Threat Hunting: Conduct proactive threat hunting for indicators of compromise (IOCs) related to known SharePoint exploits, such as specific file creations (e.g., web shells like spinstall0.aspx), unusual PowerShell execution, or registry modifications.
• Endpoint Detection and Response (EDR): Utilize EDR solutions to monitor for malicious activities on SharePoint servers, including process injection, unauthorized file access, and suspicious network connections.

Organizations should establish a clear incident response plan specifically for SharePoint compromises, including steps for containment (e.g., isolating compromised servers), eradication (e.g., removing malicious artifacts and patching), recovery (e.g., restoring from clean backups), and post-incident analysis. Regularly reviewing audit logs for critical actions like permission changes or large data downloads can help detect unauthorized access or unusual behavior.