CVE-2024-38094: Microsoft SharePoint Server — Remote Code Execution

Background

Microsoft SharePoint Server is an enterprise collaboration and document management platform deployed by thousands of organisations as their intranet, document repository, and team collaboration hub. SharePoint integrates deeply with Active Directory, Microsoft 365, and other Microsoft services. Organisations often store sensitive documents, internal communications, and business data in SharePoint — and the server itself is typically granted broad access to Active Directory and other backend systems.

CVE-2024-38094 is a deserialization vulnerability in SharePoint Server, patched in Microsoft’s July 2024 Patch Tuesday. Despite requiring Site Owner-level authentication (reducing the CVSS score below Critical), it was added to CISA’s KEV catalogue in October 2024 after confirmation of active exploitation in targeted intrusion campaigns. Threat actors who obtained initial access through other means leveraged Site Owner credentials (often obtained via phishing or credential theft) to use CVE-2024-38094 as an RCE stepping stone for deeper network penetration.

Technical Mechanism

CVE-2024-38094 is a .NET deserialization vulnerability in SharePoint Server’s server-side processing code. SharePoint is built on ASP.NET and uses .NET serialization for various internal operations. The vulnerability exists in the processing of certain types of user-supplied data that are deserialized server-side.

.NET deserialization vulnerabilities follow a similar pattern to Java deserialization issues: when .NET’s BinaryFormatter, XmlSerializer, or other deserializers process attacker-controlled data, they instantiate objects whose constructors or property setters can trigger dangerous operations. The BinaryFormatter (now deprecated but historically used extensively in SharePoint) is particularly dangerous as it can instantiate any type in the current AppDomain.

In SharePoint’s case, the vulnerability is accessible via the SharePoint REST API or SharePoint’s server-side processing endpoints to a user with Site Owner permissions:

# Crafted request to vulnerable SharePoint endpoint (illustrative)
POST /_api/web/[vulnerable_endpoint] HTTP/1.1
Host: sharepoint.target.com
Authorization: Bearer <site_owner_token>
Content-Type: application/octet-stream

[Malicious .NET serialized object — gadget chain]

Common .NET gadget chains:

• TypeConfuseDelegate: Chains Delegate and Comparison<T> objects to call arbitrary methods
• WindowsIdentity: Uses Windows identity token to trigger code execution via the identity initialisation code
• ObjectDataProvider + ExpandedWrapper: Triggers method invocation during deserialisation

Successful exploitation executes code in the context of the SharePoint application pool, which runs under a dedicated service account. On many SharePoint deployments, this account is a domain service account with significant Active Directory permissions.

Real-World Exploitation Evidence

CISA added CVE-2024-38094 to its KEV catalogue on October 22, 2024, confirming active exploitation. Security firm ESET published research documenting a sophisticated threat actor using the vulnerability:

• Lateral movement pivot: Threat actors who had obtained initial access through other means (phishing, credential stuffing against VPN, etc.) then used Site Owner credentials to trigger CVE-2024-38094, escalating from SharePoint access to code execution on the server.
• Network reconnaissance: Post-exploitation activity included deployment of custom reconnaissance tools to enumerate Active Directory, internal network topology, and high-value system locations.
• Harnessing SharePoint’s AD access: SharePoint servers typically run under accounts with significant AD read access; attackers leveraged this for comprehensive domain reconnaissance.
• Persistence mechanisms: Web shells and modified SharePoint aspx files were deployed for persistent access.
• Data exfiltration: SharePoint’s document libraries provided a rich source of sensitive documents for exfiltration.

Impact Assessment

RCE on SharePoint Server provides:

• SharePoint application pool context: Code runs as the SharePoint service account — typically a domain account with access to SharePoint databases, file servers, and AD.
• Active Directory access: SharePoint service accounts commonly have read access to all AD objects; this enables comprehensive domain reconnaissance.
• SQL Server access: SharePoint stores all content in SQL Server databases; the service account has read/write access to the content databases.
• Document access: All SharePoint-hosted documents across all sites are accessible from the server context.
• Kerberos delegation: If SharePoint is configured for Kerberos constrained delegation (common for integrations), the service account may be able to impersonate users to downstream services.
• Internal credential access: SharePoint often integrates with other internal services whose credentials are in the web.config or SharePoint encrypted store.

Affected Versions

Remediation Steps

1. Apply July 2024 Cumulative Update or later: Install via Windows Update or download from the Microsoft Update Catalog. SharePoint updates require running the SharePoint Products Configuration Wizard post-installation.

2. Apply the update process correctly:

   # After installing the update, run the configuration wizard
   & "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\BIN\PSConfig.exe" -cmd upgrade -inplace b2b -wait -force -cmd applicationcontent -install -cmd installfeatures -cmd secureresources -cmd services

3. Audit Site Owner accounts: Review which accounts have Site Owner permissions across all SharePoint site collections:

   # PowerShell to enumerate Site Owners
   Add-PSSnapin Microsoft.SharePoint.PowerShell
   Get-SPSite -Limit All | ForEach-Object {
       $site = $_
       $site.RootWeb.SiteAdministrators | Select-Object @{N="Site";E={$site.Url}}, UserLogin
   }

4. Review SharePoint application event logs: Check for unusual serialisation-related errors or unexpected code execution events around the time of suspected exploitation.

5. Check web root for web shells:

   # Check for unexpected ASPX files
   Get-ChildItem "C:\inetpub\wwwroot\wss\" -Filter "*.aspx" -Recurse | 
     Where-Object {$_.CreationTime -gt [datetime]"2024-07-01"} |
     Select-Object FullName, CreationTime, LastWriteTime

6. Monitor SharePoint service account: Review AD audit logs for the SharePoint service account performing unusual LDAP queries or accessing unexpected systems.

Detection Guidance

Log sources:

• SharePoint ULS logs: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\LOGS\
• Windows Event Logs on SharePoint servers
• IIS access logs: C:\inetpub\logs\LogFiles\
• Active Directory audit logs for SharePoint service account activity

ULS log analysis:

# Parse SharePoint ULS logs for deserialization errors
Get-Content "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\LOGS\*.log" |
  Select-String -Pattern "BinaryFormatter|deserializ|TypeConfuse|ObjectDataProvider"

IIS log suspicious patterns:

• POST requests to SharePoint API endpoints with application/octet-stream content type from Site Owners
• Large binary POST bodies to /_api/ or /_vti_bin/ endpoints

Suricata signature:

alert http $INTERNAL_NET any -> $HOME_NET any (msg:"SharePoint CVE-2024-38094 .NET Deserialization Exploit"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_api/"; http.header; content:"application/octet-stream"; content:"|00 01 00 00 00 ff ff ff ff|"; sid:9002380; rev:1;)

Timeline