A critical server-side request forgery (SSRF) vulnerability in Microsoft Power Platform’s SharePoint connector allowed attackers to harvest user credentials and impersonate victims across multiple services, including Power Apps, Power Automate, Copilot Studio, and Copilot 365.
The patched flaw posed severe risks to organizations relying on SharePoint for data management and collaboration.
The vulnerability, if exploited, would have allowed malicious actors to impersonate users and execute actions on their behalf within the SharePoint environment, leading to significant security breaches.
According to researcher Dmitry Lozovoyhe the vulnerability resided in the insufficient input validation within the SharePoint connector. By manipulating the “custom value” functionality, attackers could insert crafted URLs not correctly validated by the connector.
Threat actors could trick users into triggering requests to attacker-controlled servers by creating a malicious flow or app, leaking SharePoint JSON Web Tokens (JWTs) tied to the victim’s credentials. These tokens, valid for SharePoint API access, allowed attackers to:
- Execute unauthorized actions on behalf of the victim.
- Access sensitive data, including user directories and document libraries.
- Escalate privileges laterally within the network.
To exploit the flaw, attackers required Environment Maker and Basic User roles in Power Platform, which grant permissions to create and share resources.
Multi-Platform Exploitation
The SSRF vulnerability’s cross-platform impact amplified its severity:
- Power Automate: Attackers shared malicious flows with low-privileged users, capturing tokens when victims ran them.
- Power Apps: Malicious apps embedded in Teams or surveys prompted users to approve connections, leaking tokens even if errors occurred.
- Copilot Studio & Copilot 365: Attackers injected rogue agents, tricking users into granting access during routine tasks.
Zenity Labs demonstrated how stolen tokens could bypass authentication, enabling API calls to SharePoint for data exfiltration or further attacks.
Microsoft addressed the vulnerability (tracked as CVE-2024-49070) in December 2024 after Zenity Labs reported it in September 2024. The company classified it as an “Important” severity issue with Elevation of Privilege impact. Patches were rolled out for:
- SharePoint Server 2016, 2019, and Subscription Edition.
- Power Platform services, including connectors for Power Apps and Automate.
While the SSRF flaw is no longer exploitable, organizations must ensure they’ve applied the latest updates.
Recommendations for Mitigation
To safeguard against similar threats:
- Apply Security Updates: Install December 2024 patches for SharePoint and Power Platform.
- Limit Permissions: Restrict Environment Maker and Basic User roles to trusted personnel.
- Monitor Suspicious Activity: Audit flows/apps for unexpected external URL references.
- Educate Users: Train employees to recognize unauthorized consent prompts or errors during app interactions.
While the vulnerability has been patched, organizations using the Power Platform are advised to review their security configurations and ensure that all systems are up to date with the latest security patches.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free