Chinese Hackers Exploit Unpatched SharePoint Zero-Day in Global Cyberattack

A critical vulnerability in Microsoft SharePoint, initially patched in June 2023, is being actively exploited by Chinese state-sponsored hacking groups in a global cyberattack campaign. Security researchers have confirmed that the patch for CVE-2023-29357, a privilege escalation flaw, can be bypassed, effectively leaving thousands of organizations vulnerable to complete system compromise.

The vulnerability allows attackers to gain administrator privileges on affected SharePoint servers by exploiting flaws in the authentication mechanism. Once elevated privileges are obtained, threat actors can deploy web shells, exfiltrate sensitive data, and move laterally through enterprise networks.

Microsoft had originally rated this as an important (not critical) vulnerability when first addressed in June's Patch Tuesday updates. However, the incomplete fix has now elevated this to a critical threat, with multiple advanced persistent threat (APT) groups weaponizing the exploit chain.

'This represents a fundamental failure in Microsoft's secure development lifecycle,' noted a senior researcher at a prominent cybersecurity firm. 'When patches can be bypassed months after release, it erodes trust in the entire security update ecosystem.'

Technical analysis reveals that the bypass technique involves manipulating certain SharePoint API calls that weren't properly secured in the initial patch. Attackers are combining this with other known vulnerabilities to create reliable exploit chains that work against supposedly patched systems.

Organizations are advised to:

The incident comes as Microsoft faces increasing criticism over its security practices following multiple high-profile breaches linked to nation-state actors. Security professionals are calling for more rigorous patch verification processes and transparent communication about patch effectiveness.