CVE-2024-38094
CVE-2024-38094 is a high-severity vulnerability in Microsoft Sharepoint Server with a CVSS 3.x base score of 7.2. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-10-22). The underlying weakness is classified as CWE-502.
Key facts
- Severity: High (CVSS 3.x base score 7.2)
- EPSS exploit prediction: 50% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-10-22)
- EU (EUVD) id: EUVD-2024-37782
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-10-22)
- Weakness: CWE-502
- Affected product: Microsoft Sharepoint Server
- Published:
- Last modified:
Description
Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2024-38094: Microsoft SharePoint Server Deserialization RCE
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2024-38094 is a remote code execution vulnerability in Microsoft SharePoint Server. It stems from unsafe deserialization of untrusted data (CWE-502) and can be exploited by an attacker with high-privilege access to the target application. The vulnerability carries a CVSS 3.1 score of 7.2 (HIGH) and has been actively exploited in the wild, as confirmed by both CISA's Known Exploited Vulnerabilities catalog and the EU Vulnerability Database.
Background
Microsoft SharePoint Server is a widely deployed collaboration and document-management platform used by enterprises and government organizations. SharePoint instances are frequently exposed to internal networks and, in some configurations, to the internet. Because the platform integrates deeply with Active Directory and often stores sensitive business data, a code-execution flaw within SharePoint represents a significant risk to confidentiality, integrity, and availability of organizational data.
Root Cause
The underlying weakness is categorized as CWE-502: Deserialization of Untrusted Data. SharePoint Server deserializes attacker-controlled input without adequate validation. When an authenticated user with elevated privileges submits a malicious payload, the deserialization process can instantiate arbitrary objects and invoke dangerous methods, ultimately leading to full remote code execution on the server. The specific endpoint or API surface involved has not been publicly documented in detail by Microsoft, but the nature of the flaw points to insufficient type checking or missing allow-listing during object reconstruction.
Impact
With a CVSS 3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, the vulnerability is rated HIGH. Although exploitation requires high privileges (PR:H), once an attacker satisfies that prerequisite the impact is severe and comprehensive: complete loss of confidentiality, integrity, and availability on the affected server. In practice, this means an attacker can exfiltrate documents, implant persistent backdoors, pivot laterally within the network, or render the SharePoint farm unusable. The unchanged scope (S:U) indicates the impact is confined to the vulnerable component, but within a SharePoint environment that still equates to extensive damage.
Exploitation Walkthrough
Ethics and Legal Notice: The following description is provided for defensive awareness only. Attempting to exploit systems without explicit authorization is illegal and unethical.
An attacker must first obtain administrative or equivalent high-privilege credentials within the SharePoint environment—either through credential theft, social engineering, or compromise of a related account. With those credentials in hand, the attacker crafts a serialized object payload designed to trigger a gadget chain during deserialization. The payload is delivered to the vulnerable SharePoint endpoint. Upon processing, SharePoint deserializes the object, the gadget chain executes, and the attacker gains arbitrary code execution in the context of the SharePoint application pool or service account. Because the attack complexity is low (AC:L) and no user interaction is required (UI:N), the exploit can be scripted and executed reliably once access is obtained.
Affected and Patched Versions
The following Microsoft SharePoint Server products are confirmed vulnerable:
- Microsoft SharePoint Server (Subscription Edition)
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016 (Enterprise)
Microsoft released security updates addressing this flaw in the July 2024 Patch Tuesday cycle. Administrators should verify that their SharePoint farms are running a patched build. Specific build numbers and update packages are available via the Microsoft Security Response Center reference below.
Remediation
- Apply the security update immediately. Prioritize SharePoint servers that are internet-facing or accessible from less-trusted network segments. The July 2024 cumulative update for SharePoint Server contains the fix.
- Enforce multi-factor authentication (MFA). Require MFA for all SharePoint administrative accounts and limit the number of accounts with farm-administrator or site-collection-administrator privileges.
- Segment the SharePoint farm. Place SharePoint servers on isolated network segments with strict egress and ingress filtering. Monitor for unexpected outbound connections.
- Audit serialized-data handling. If custom SharePoint solutions or third-party components perform their own deserialization, review that code for similar CWE-502 weaknesses.
Detection
- Monitor SharePoint Unified Logging Service (ULS) logs and IIS logs for unusual requests to administrative or internal API endpoints, especially those carrying large or binary payloads.
- Correlate Windows Event Log authentication events with legitimate administrative activity baselines; look for logins from unexpected source IP addresses or at unusual times.
- Deploy endpoint detection and response (EDR) agents on SharePoint servers with behavioral rules targeting suspicious process creation from the SharePoint application pool identity.
- Review file-system and registry changes within the SharePoint installation directories for unauthorized modifications.
Assessment
CVE-2024-38094 carries an EPSS score of approximately 0.49979, placing it in the 98.7th percentile—indicating a very high probability of exploitation in the wild. This prediction is borne out by reality: CISA added the flaw to its Known Exploited Vulnerabilities catalog on 2024-10-22, and the EU Vulnerability Database (EUVD-2024-37782) also lists it as actively exploited from the same date. The combination of HIGH severity, confirmed in-the-wild exploitation, and a common enterprise target makes this a priority patching item.
Key lessons:
- Deserialization vulnerabilities continue to plague mature enterprise applications. Frameworks and platforms must adopt safe deserialization patterns—such as strict type allow-listing or switching to serialization formats that do not support arbitrary object instantiation.
- The high-privilege requirement (
PR:H) is not a meaningful barrier when administrative accounts are regularly targeted by phishing and credential-based attacks. Strong multi-factor authentication and privileged-access management are essential compensating controls.
References
Frequently asked questions
- What is CVE-2024-38094?
- Microsoft SharePoint Remote Code Execution Vulnerability
- How severe is CVE-2024-38094?
- CVE-2024-38094 has a CVSS 3.x base score of 7.2, rated high severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-38094 being actively exploited?
- Yes. CVE-2024-38094 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-10-22, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-38094?
- CVE-2024-38094 primarily affects Microsoft Sharepoint Server. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-38094?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-38094 have an EU (EUVD) identifier?
- Yes. CVE-2024-38094 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-37782. It is also flagged as exploited in the EUVD (since 2024-10-22).
- When was CVE-2024-38094 published?
- CVE-2024-38094 was published on 2024-07-09 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38094
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38094
Affected products (3)
- cpe:2.3:a:microsoft:sharepoint_server:-:*:*:*:subscription:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Sharepoint Server
- CVE-2013-1330 — Critical (CVSS 10.0): The default configuration of Microsoft SharePoint Portal Server 2003 SP3, SharePoint Server 2007 SP3 and 2010 SP1 and…
- CVE-2020-1595 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from…
- CVE-2020-1210 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source…
- CVE-2026-20963 — Critical (CVSS 9.8): Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a…
- CVE-2025-53770 — Critical (CVSS 9.8): Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute…
- CVE-2023-29357 — Critical (CVSS 9.8): Microsoft SharePoint Server Elevation of Privilege Vulnerability
All CVEs affecting Microsoft Sharepoint Server →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →