CVE-2024-38094

What is Microsoft SharePoint?

Microsoft SharePoint is a web-based collaboration and document management platform widely deployed in enterprise, government, and education environments. SharePoint Server runs on-premises on Windows Server and is used for intranets, document libraries, team sites, and workflow automation. Because SharePoint stores sensitive corporate documents and often integrates with Active Directory, a compromised SharePoint server gives attackers access to confidential files, employee data, and a trusted foothold inside the corporate network. SharePoint Server installations with internet-facing endpoints are a recurring target for initial access.

Overview

CVE-2024-38094 is a deserialization vulnerability in Microsoft SharePoint Server that allows an authenticated attacker with Site Owner privileges to achieve remote code execution on the server. Microsoft patched the vulnerability in July 2024 Patch Tuesday; CISA added it to the KEV catalog in October 2024, more than three months later, confirming active exploitation in the wild — including by ransomware operators.

Affected Versions

Technical Details

CWE-502 (Deserialization of Untrusted Data). SharePoint's server-side processing handles serialized .NET objects sent through certain API endpoints or web service calls. A flaw in input validation allows an attacker to submit a crafted serialized payload that, when deserialized by the server, triggers arbitrary code execution in the SharePoint application context. .NET deserialization vulnerabilities are particularly powerful because deserialization can instantiate arbitrary .NET types and invoke their constructors and methods, providing a full code execution primitive to an attacker who can reach the vulnerable endpoint.

The High privilege requirement (PR:H, Site Owner) means the attacker must either already have Site Owner access to a SharePoint site (which may be broadly granted in many organizations) or first compromise Site Owner credentials through phishing or credential theft before exploiting the vulnerability for code execution.

Discovery

Patched as part of the July 2024 Patch Tuesday cycle. The 3+ month gap to CISA KEV addition, combined with the ransomware flag, indicates threat actors were actively exploiting unpatched SharePoint servers as an initial access vector to deploy ransomware payloads after gaining a foothold on the server.

Exploitation Context

SharePoint Server deserialization RCEs are consistently targeted by ransomware groups and espionage actors because SharePoint servers typically sit inside the network perimeter with access to Active Directory and sensitive file shares. Exploitation pattern: attacker obtains Site Owner credentials via phishing → exploits CVE-2024-38094 for RCE on the SharePoint server → uses server's trusted position to move laterally and deploy ransomware across the domain. The three-month delay before KEV addition suggests many organizations had not applied the July Patch Tuesday update, leaving a wide exploitation window.

Remediation

1. Apply the July 2024 SharePoint security updates (Patch Tuesday, July 9, 2024) to all SharePoint Server installations immediately.
2. Audit SharePoint Site Owner assignments — remove Site Owner privileges from accounts that do not require them; apply least-privilege site permissions.
3. Restrict SharePoint Server administrative interfaces to internal networks; do not expose the SharePoint Central Administration site to the internet.
4. Enable multi-factor authentication for all SharePoint user accounts, particularly those with elevated privileges.
5. Review SharePoint server logs for unusual web service calls or deserialization-related errors prior to and since the July 2024 patch date.
6. Apply network segmentation so that a compromised SharePoint server cannot directly reach domain controllers or other critical infrastructure without firewall inspection.