Login Sign Up

CVE-2022-24472

8.0 HIGH

📋 TL;DR

CVE-2022-24472 is a spoofing vulnerability in Microsoft SharePoint Server that allows an attacker to impersonate a legitimate user and perform unauthorized actions. This affects organizations running vulnerable SharePoint Server versions, potentially compromising data integrity and access controls.

💻 Affected Systems

Products:
  • Microsoft SharePoint Server
Versions: Microsoft SharePoint Server 2019, SharePoint Server Subscription Edition
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects SharePoint Server, not SharePoint Online. Requires attacker to have some level of access to SharePoint.

📦 What is this software?

Sharepoint Foundation by Microsoft

View all CVEs affecting Sharepoint Foundation →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could gain administrative privileges, access sensitive data, modify content, or deploy malicious payloads across the SharePoint environment.

🟠

Likely Case

Attackers would impersonate users to access restricted documents, modify permissions, or exfiltrate sensitive information without detection.

🟢

If Mitigated

With proper authentication controls and network segmentation, impact would be limited to isolated SharePoint instances with minimal data exposure.

🌐 Internet-Facing: HIGH - Internet-facing SharePoint servers are directly accessible to attackers, increasing exploitation likelihood.
🏢 Internal Only: MEDIUM - Internal servers require network access but could be exploited by compromised internal accounts or lateral movement.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access to SharePoint. Microsoft rates this as 'Exploitation More Likely' in their advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: March 2022 Security Update for SharePoint Server

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24472

Restart Required: Yes

Instructions:

1. Download March 2022 security update from Microsoft Update Catalog. 2. Apply update to all SharePoint servers. 3. Restart SharePoint services. 4. Test functionality.

🔧 Temporary Workarounds

Restrict SharePoint Access

all

Limit SharePoint access to trusted users only using network segmentation and authentication controls.

Enable Audit Logging

windows

Configure detailed SharePoint audit logging to detect suspicious impersonation attempts.

Set-SPOTenant -AuditLogRetentionPeriod 90
Set-SPAudit -Identity <site> -AuditFlags All

🧯 If You Can't Patch

  • Implement strict access controls and multi-factor authentication for all SharePoint users
  • Monitor SharePoint audit logs for unusual impersonation patterns and permission changes

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version and compare against patched versions in Microsoft advisory.

Check Version:

Get-SPFarm | Select BuildVersion

Verify Fix Applied:

Verify March 2022 security update is installed and SharePoint version matches patched release.

📡 Detection & Monitoring

Log Indicators:

  • Unusual user impersonation events
  • Unexpected permission changes
  • Multiple failed authentication attempts followed by successful access

Network Indicators:

  • Unusual SharePoint API calls from unexpected sources
  • Suspicious authentication patterns

SIEM Query:

source="SharePoint" AND (event_id="UserImpersonation" OR event_id="PermissionChange") | stats count by user, source_ip

📊 Metadata

CVE ID: CVE-2022-24472
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Published: April 15, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON