CVE-2024-38094: Microsoft SharePoint RCE via Deserialization
An authenticated deserialization flaw in SharePoint Server chained with privilege escalation to achieve full Active Directory domain compromise — added to CISA KEV after ransomware operators confirmed exploitation
CVE-2024-38094 is a deserialization remote code execution vulnerability in Microsoft SharePoint Server patched in July 2024. While the CVSS score of 7.2 reflects the Site Owner authentication requirement, real-world exploitation demonstrated a more severe impact: attackers chained it with CVE-2024-38023 (privilege escalation) to progress from lower-privilege access to full Active Directory domain compromise in observed incidents. CISA's October 2024 KEV addition confirmed active ransomware operator exploitation.
Deserialization in SharePoint: Technical Root Cause
SharePoint Server processes .NET serialized objects as part of its workflow engine and API functionality. CVE-2024-38094 involves unsafe deserialization of attacker-controlled data in SharePoint's server-side processing, reachable by an authenticated user with Site Owner permissions.
.NET deserialization attacks exploit gadget chains — sequences of existing .NET classes that, when deserialized in a specific order, execute arbitrary commands. SharePoint's IIS-hosted application pool context means the resulting execution carries the permissions of the SharePoint application pool account, which is typically highly privileged within Active Directory.
Microsoft's advisory describes the vulnerability as requiring network access and Site Owner authentication but granting code execution on the server — a description consistent with a deserialization gadget chain reachable through SharePoint's API surface.
The Privilege Chaining Problem
The CVSS 7.2 score reflects the authentication barrier — but that barrier was bypassed in the wild by chaining with CVE-2024-38023, a second SharePoint vulnerability in the same July 2024 patch cycle that allowed privilege escalation to Site Owner from lower permission levels.
The combined chain: 1. Attacker compromises any account with basic SharePoint access (common through phishing) 2. CVE-2024-38023 escalates that access to Site Owner 3. CVE-2024-38094 achieves RCE on the SharePoint server as the IIS app pool identity 4. The SharePoint server's AD integration and service account privileges enable lateral movement 5. Domain Admin credentials extracted via credential dumping on the domain-joined server
This pattern — two moderate-severity authenticated vulnerabilities chained to achieve domain compromise — highlights why patch velocity for enterprise collaboration platforms must match that applied to network perimeter devices.
Attack Chain
Full exploitation sequence from initial access to domain compromise:
Initial Credential Compromise
Attacker obtains SharePoint credentials via phishing, credential stuffing, or a prior compromise — any account with SharePoint access is sufficient as a starting point.
Privilege Escalation to Site Owner (CVE-2024-38023)
Using the lower-privilege account, attacker exploits CVE-2024-38023 to escalate permissions to Site Owner level within a SharePoint site collection.
Deserialization RCE (CVE-2024-38094)
With Site Owner access, attacker sends crafted API request containing a malicious .NET serialized object. SharePoint deserializes it and executes attacker code as the IIS application pool identity.
Credential Harvesting on SharePoint Server
Code execution on the domain-joined SharePoint server enables credential dumping via LSASS access or other techniques, targeting the privileged service accounts SharePoint uses.
Domain Compromise and Lateral Movement
Harvested domain credentials enable full Active Directory compromise and unrestricted lateral movement across the organization's network.
Detection
Indicators for CVE-2024-38094 exploitation:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| Anomalous SharePoint API calls from accounts with no prior API usage history | SharePoint ULS log / network proxy log | Automated exploitation via API often generates traffic patterns distinguishable from normal user browser sessions; look for non-browser user agents and rapid request sequences |
| w3wp.exe (IIS app pool) spawning cmd.exe, powershell.exe, or net.exe as child processes | Process telemetry (EDR) | SharePoint IIS processes should not spawn interactive shell children; this parent-child relationship is a strong indicator of code execution |
| LSASS memory access originating from w3wp.exe or SharePoint service processes | EDR / Windows Security Event Log | Credential dumping attempt from SharePoint process context; Windows Event 10 (Process Access) in Sysmon with TargetImage lsass.exe and SourceImage w3wp.exe |
| New files dropped in SharePoint IIS virtual directories | Filesystem | Webshell or persistence artifact; audit inetpub and SharePoint hive directories for unexpected executable files |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Priority steps:
Apply July 2024 SharePoint cumulative updates
Both CVE-2024-38094 and CVE-2024-38023 are patched in the July 2024 SharePoint cumulative updates for Server 2016, 2019, and Subscription Edition. Apply both patches together — patching one without the other leaves the chain partially exploitable.
Audit SharePoint Site Owner assignments
Review all Site Owner role assignments across site collections and remove unnecessary permissions. Apply least-privilege principles — the majority of SharePoint users do not require Site Owner access. Reducing the Site Owner population reduces the blast radius of any credential compromise.
Monitor SharePoint ULS and IIS logs for anomalous API activity
Configure SIEM rules to alert on non-browser user agents accessing SharePoint APIs, rapid sequences of API calls from single accounts, and requests to SharePoint endpoints not normally accessed by the account's role.
Restrict SharePoint service account privileges in Active Directory
SharePoint service accounts should hold only the AD permissions required for SharePoint functionality — not Domain Admin or other broad privileged roles. Review the AD permissions of all accounts used by SharePoint services and apply least privilege.
Deploy Credential Guard on SharePoint servers
Windows Defender Credential Guard uses virtualization-based security to protect LSASS credential material. Deploying it on SharePoint servers prevents the most common credential dumping techniques even after code execution is achieved.
The bottom line
CVE-2024-38094 illustrates why CVSS scores are a floor, not a ceiling, for risk assessment. A 7.2 'High' vulnerability in SharePoint — AD-integrated, service-account-privileged, domain-joined infrastructure — chains trivially to domain compromise when combined with a second moderate vulnerability. Enterprise collaboration platforms deserve the same patch urgency applied to network perimeter devices. The October 2024 CISA KEV addition confirms this is not a theoretical concern.
Frequently asked questions
Does CVE-2024-38094 affect SharePoint Online (Microsoft 365)?
No. CVE-2024-38094 only affects on-premises SharePoint Server installations (2016, 2019, Subscription Edition). SharePoint Online is a cloud service managed by Microsoft that runs a different code base and is not affected.
Why is the CVSS score 7.2 if the real-world impact is domain compromise?
The CVSS 7.2 score reflects the authentication requirement (Site Owner) which reduces the base score compared to unauthenticated vulnerabilities. CVSS scores measure the vulnerability in isolation — they do not capture chaining with privilege escalation or the elevated real-world impact of compromising SharePoint's AD-integrated server context. Always evaluate vulnerabilities in context, not CVSS score alone.
What other CVEs were chained with CVE-2024-38094 in the wild?
Attackers chained CVE-2024-38094 with CVE-2024-38023, a SharePoint privilege escalation vulnerability patched in the same July 2024 update cycle. CVE-2024-38023 allowed escalation to Site Owner level from lower permissions, completing a chain from lower-privilege access to RCE to domain compromise.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.