CVE-2022-29108 – CVE-2022-29108 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2022-29108?

CVE-2022-29108 has a CVSS score of 8.8 (HIGH). CVE-2022-29108 is a remote code execution vulnerability in Microsoft SharePoint Server that allows authenticated attackers to execute arbitrary code on affected systems. This affects organizations running vulnerable SharePoint Server versions, potentially compromising sensitive data and system integrity.

📋 TL;DR

CVE-2022-29108 is a remote code execution vulnerability in Microsoft SharePoint Server that allows authenticated attackers to execute arbitrary code on affected systems. This affects organizations running vulnerable SharePoint Server versions, potentially compromising sensitive data and system integrity.

💻 Affected Systems

Products:

Microsoft SharePoint Server

Versions: 2013, 2016, 2019, Subscription Edition

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access; SharePoint Online not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SharePoint Server with attacker gaining SYSTEM-level privileges, data exfiltration, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive SharePoint data, modification/deletion of documents, and potential credential theft from compromised server.

🟢

If Mitigated

Limited impact due to network segmentation, strong authentication controls, and minimal user privileges, though risk remains if patch not applied.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated user access; exploitation details not publicly disclosed but likely being actively exploited.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2022 security updates

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29108

Restart Required: Yes

Instructions:

1. Download May 2022 security updates from Microsoft Update Catalog. 2. Apply updates to all SharePoint servers. 3. Restart servers as required. 4. Test functionality post-patch.

🔧 Temporary Workarounds

Restrict SharePoint Application Pool Identity

windows

Limit permissions of SharePoint application pool to reduce impact if exploited.

Network Segmentation

all

Isolate SharePoint servers from critical systems and limit inbound/outbound connections.

🧯 If You Can't Patch

Implement strict access controls and multi-factor authentication for all SharePoint users
Monitor for suspicious activity and implement application whitelisting on SharePoint servers

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version and compare against patched versions in Microsoft advisory.

Check Version:

Get-SPFarm | Select BuildVersion

Verify Fix Applied:

Verify May 2022 security updates are installed via Windows Update history or PowerShell: Get-HotFix -Id KB5012121

📡 Detection & Monitoring

Log Indicators:

Unusual PowerShell execution from SharePoint processes
Suspicious file creation in SharePoint directories
Authentication anomalies

Network Indicators:

Unexpected outbound connections from SharePoint servers
SMB or RPC traffic to unusual destinations

SIEM Query:

source="SharePoint" AND (process="powershell.exe" OR command_line="*Invoke-Expression*" OR command_line="*DownloadString*")

📊 Metadata

CVE ID: CVE-2022-29108

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: May 10, 2022

Last Updated: January 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON