A bug that won $100k at Pwn2Own in March was encrypting SharePoint by winter

In March 2023, Nguyễn Tiến Giang of StarLabs walked onstage at Pwn2Own Vancouver, ran a two-bug chain against a fully-patched SharePoint server, got remote code execution in about thirty seconds, and collected $100,000. The live demo was brief. The research behind it took close to a year. The interesting part for defenders is what happened next, on a schedule that turns out to be fairly predictable: Microsoft patched the bugs through mid-2023, StarLabs published the technical writeup in September, working exploit code circulated by December, and CISA was adding the components to the Known Exploited Vulnerabilities catalog in January and March 2024. Roughly a year from contest stage to in-the-wild exploitation.

You can use that timeline. Pwn2Own is not just a show; it’s an early-warning system, and the lag between a winning demo and commodity exploitation is long enough to act on if you’re watching.

The two bugs

The chain combines an authentication bypass and a code-injection bug, neither of which is full RCE alone.

CVE-2023-29357 is the auth bypass, CVSS 9.8. SharePoint’s validation of JSON Web Tokens used for OAuth could be subverted by spoofing a token signed with the none algorithm, which tells the verifier “this token isn’t signed, trust it anyway.” An unauthenticated attacker forges a JWT, the server accepts it, and the attacker is now any user they want to be, including an administrator. The none-algorithm trick is one of the oldest and most documented JWT pitfalls in existence, on every API-security checklist, and it was live in enterprise SharePoint.

CVE-2023-24955 is the code injection, CVSS 7.2, CWE-94. It lets an attacker with Site Owner privileges execute code on the server. On its own it requires that high-privilege role, which is why its score is moderate.

Stack them and the moderate-plus-critical pair becomes unauthenticated RCE: CVE-2023-29357 spoofs your way to administrator, which gets you the Site Owner rights that CVE-2023-24955 needs, which gets you code execution. CISA added the auth bypass to KEV on January 10, 2024, and the code-injection half on March 26, 2024, both flagged for ransomware use. They listed separately, months apart, even though they’re one attack, which is worth noting: tracking KEV entry-by-entry can obscure that two items are halves of the same chain.

What the timeline tells you to do

The value here is less about these two CVEs, which you should simply have patched by now, and more about the pattern they illustrate. Bugs demonstrated at Pwn2Own follow a recognizable lifecycle:

• Contest demo (month 0). The bug is proven exploitable on current software. Details are held back under the contest’s disclosure rules.
• Vendor patch (month 0 to 4). The vendor gets the writeup privately and ships a fix. This is your window of advantage: patch and the chain is dead before any public exploit exists.
• Public technical writeup (month 3 to 9). Researchers publish the details. Skilled attackers can now reproduce it.
• Working public PoC (month 6 to 12). Exploit code becomes available, and the bug becomes usable by people who couldn’t have found it.
• Commodity exploitation and KEV listing (month 9 onward). It’s in toolkits and ransomware playbooks.

The SharePoint chain hit every one of those marks. The practical takeaway: when a Pwn2Own result targets software you run, treat the vendor’s patch for it as high priority even though there’s “no exploitation yet,” because the no-exploitation window is exactly the head start the lifecycle gives you, and it closes on a schedule. Waiting until KEV listing means waiting until month nine-plus, when the advantage is gone.

What to do for these specific bugs

• Patch SharePoint to current. Both CVE-2023-29357 and CVE-2023-24955 were fixed in 2023 Patch Tuesday releases (May and June). Confirm your on-premise SharePoint Server 2016/2019/Subscription Edition farms are past those updates, and remember SharePoint patching isn’t done until the configuration wizard has run across every server in the farm, not just the binary install.
• Patch both halves, and don’t rely on one. While breaking either link breaks this particular chain, the auth bypass alone (CVE-2023-29357) is a critical impersonation bug that’s dangerous in its own right and pairs with other code-execution paths. Treat each on its own merits.
• Hunt for JWT spoofing and exploit indicators. Look for anomalous authentication via forged tokens, unexpected administrative actions, and the web-shell or code-execution artifacts that follow a SharePoint compromise. Public detections exist for this chain; the exploit code has been out since late 2023, so an unpatched, exposed farm should be treated as potentially already compromised.
• Take SharePoint off the public internet where you can. An internet-reachable on-prem SharePoint farm is a standing target for exactly this class of chain. Front it with access controls.

The reframe is a planning one. Most vulnerability prioritization is reactive, keyed to KEV listings and active-exploitation reports, which means you’re always responding at the end of the lifecycle. Pwn2Own hands you the front of the lifecycle for free: a public list of which products just got popped, months before the exploits go commodity. Patch those on the early signal, not the late one. We track the path from contest demo to catalog listing precisely because the months in between are the cheapest time to close the door.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2023-29357 — 2023-06
• NVD CVE-2023-24955 — 2023-05-09
• STAR Labs: SharePoint Pre-Auth RCE chain (CVE-2023-29357 & CVE-2023-24955) — 2023-09
• Tenable: Exploit chain released for Microsoft SharePoint Server vulnerabilities — 2023-12
• SecurityWeek: Second SharePoint flaw disclosed at Pwn2Own exploited in attacks — 2024-03