CVE-2024-38094

CVE-2024-38094 is a high-severity vulnerability in Microsoft Sharepoint Server with a CVSS 3.x base score of 7.2. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-10-22). The underlying weakness is classified as CWE-502.

Key facts

Description

Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2024-38094: Microsoft SharePoint Server Deserialization RCE

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2024-38094 is a remote code execution vulnerability in Microsoft SharePoint Server. It stems from unsafe deserialization of untrusted data (CWE-502) and can be exploited by an attacker with high-privilege access to the target application. The vulnerability carries a CVSS 3.1 score of 7.2 (HIGH) and has been actively exploited in the wild, as confirmed by both CISA's Known Exploited Vulnerabilities catalog and the EU Vulnerability Database.

Background

Microsoft SharePoint Server is a widely deployed collaboration and document-management platform used by enterprises and government organizations. SharePoint instances are frequently exposed to internal networks and, in some configurations, to the internet. Because the platform integrates deeply with Active Directory and often stores sensitive business data, a code-execution flaw within SharePoint represents a significant risk to confidentiality, integrity, and availability of organizational data.

Root Cause

The underlying weakness is categorized as CWE-502: Deserialization of Untrusted Data. SharePoint Server deserializes attacker-controlled input without adequate validation. When an authenticated user with elevated privileges submits a malicious payload, the deserialization process can instantiate arbitrary objects and invoke dangerous methods, ultimately leading to full remote code execution on the server. The specific endpoint or API surface involved has not been publicly documented in detail by Microsoft, but the nature of the flaw points to insufficient type checking or missing allow-listing during object reconstruction.

Impact

With a CVSS 3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, the vulnerability is rated HIGH. Although exploitation requires high privileges (PR:H), once an attacker satisfies that prerequisite the impact is severe and comprehensive: complete loss of confidentiality, integrity, and availability on the affected server. In practice, this means an attacker can exfiltrate documents, implant persistent backdoors, pivot laterally within the network, or render the SharePoint farm unusable. The unchanged scope (S:U) indicates the impact is confined to the vulnerable component, but within a SharePoint environment that still equates to extensive damage.

Exploitation Walkthrough

Ethics and Legal Notice: The following description is provided for defensive awareness only. Attempting to exploit systems without explicit authorization is illegal and unethical.

An attacker must first obtain administrative or equivalent high-privilege credentials within the SharePoint environment—either through credential theft, social engineering, or compromise of a related account. With those credentials in hand, the attacker crafts a serialized object payload designed to trigger a gadget chain during deserialization. The payload is delivered to the vulnerable SharePoint endpoint. Upon processing, SharePoint deserializes the object, the gadget chain executes, and the attacker gains arbitrary code execution in the context of the SharePoint application pool or service account. Because the attack complexity is low (AC:L) and no user interaction is required (UI:N), the exploit can be scripted and executed reliably once access is obtained.

Affected and Patched Versions

The following Microsoft SharePoint Server products are confirmed vulnerable:

  • Microsoft SharePoint Server (Subscription Edition)
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server 2016 (Enterprise)

Microsoft released security updates addressing this flaw in the July 2024 Patch Tuesday cycle. Administrators should verify that their SharePoint farms are running a patched build. Specific build numbers and update packages are available via the Microsoft Security Response Center reference below.

Remediation

  1. Apply the security update immediately. Prioritize SharePoint servers that are internet-facing or accessible from less-trusted network segments. The July 2024 cumulative update for SharePoint Server contains the fix.
  2. Enforce multi-factor authentication (MFA). Require MFA for all SharePoint administrative accounts and limit the number of accounts with farm-administrator or site-collection-administrator privileges.
  3. Segment the SharePoint farm. Place SharePoint servers on isolated network segments with strict egress and ingress filtering. Monitor for unexpected outbound connections.
  4. Audit serialized-data handling. If custom SharePoint solutions or third-party components perform their own deserialization, review that code for similar CWE-502 weaknesses.

Detection

  • Monitor SharePoint Unified Logging Service (ULS) logs and IIS logs for unusual requests to administrative or internal API endpoints, especially those carrying large or binary payloads.
  • Correlate Windows Event Log authentication events with legitimate administrative activity baselines; look for logins from unexpected source IP addresses or at unusual times.
  • Deploy endpoint detection and response (EDR) agents on SharePoint servers with behavioral rules targeting suspicious process creation from the SharePoint application pool identity.
  • Review file-system and registry changes within the SharePoint installation directories for unauthorized modifications.

Assessment

CVE-2024-38094 carries an EPSS score of approximately 0.49979, placing it in the 98.7th percentile—indicating a very high probability of exploitation in the wild. This prediction is borne out by reality: CISA added the flaw to its Known Exploited Vulnerabilities catalog on 2024-10-22, and the EU Vulnerability Database (EUVD-2024-37782) also lists it as actively exploited from the same date. The combination of HIGH severity, confirmed in-the-wild exploitation, and a common enterprise target makes this a priority patching item.

Key lessons:

  1. Deserialization vulnerabilities continue to plague mature enterprise applications. Frameworks and platforms must adopt safe deserialization patterns—such as strict type allow-listing or switching to serialization formats that do not support arbitrary object instantiation.
  2. The high-privilege requirement (PR:H) is not a meaningful barrier when administrative accounts are regularly targeted by phishing and credential-based attacks. Strong multi-factor authentication and privileged-access management are essential compensating controls.

References

Frequently asked questions

What is CVE-2024-38094?
Microsoft SharePoint Remote Code Execution Vulnerability
How severe is CVE-2024-38094?
CVE-2024-38094 has a CVSS 3.x base score of 7.2, rated high severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-38094 being actively exploited?
Yes. CVE-2024-38094 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-10-22, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-38094?
CVE-2024-38094 primarily affects Microsoft Sharepoint Server. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-38094?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-38094 have an EU (EUVD) identifier?
Yes. CVE-2024-38094 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-37782. It is also flagged as exploited in the EUVD (since 2024-10-22).
When was CVE-2024-38094 published?
CVE-2024-38094 was published on 2024-07-09 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Microsoft Sharepoint Server

All CVEs affecting Microsoft Sharepoint Server →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →