Login Sign Up

CVE-2024-21318

8.8 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Microsoft SharePoint Server by deserializing untrusted data. It affects organizations running vulnerable SharePoint Server versions, potentially enabling complete system compromise.

💻 Affected Systems

Products:
  • Microsoft SharePoint Server
Versions: Specific versions as listed in Microsoft advisory
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Affects SharePoint Server installations with default configurations. Check Microsoft advisory for exact version details.

📦 What is this software?

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, ransomware deployment, lateral movement across the network, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive SharePoint data, privilege escalation, and installation of web shells for persistent access.

🟢

If Mitigated

Limited impact with proper network segmentation, application controls, and monitoring detecting exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authentication to SharePoint Server. Exploitation involves deserialization of untrusted data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply latest Microsoft security updates for SharePoint Server

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21318

Restart Required: Yes

Instructions:

1. Download and install the latest security update for SharePoint Server from Microsoft Update Catalog. 2. Apply the patch to all SharePoint servers. 3. Restart SharePoint services or servers as required. 4. Test functionality after patching.

🔧 Temporary Workarounds

Restrict network access

all

Limit SharePoint Server access to trusted networks only using firewall rules

Implement application controls

windows

Use application allowlisting to prevent execution of unauthorized code

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate SharePoint servers
  • Enable enhanced logging and monitoring for suspicious SharePoint activity

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version against Microsoft's security advisory for affected versions

Check Version:

Get-SPFarm | Select BuildVersion

Verify Fix Applied:

Verify SharePoint Server has been updated to a version not listed in the advisory and security update is installed

📡 Detection & Monitoring

Log Indicators:

  • Unusual deserialization events in SharePoint logs
  • Unexpected process creation from SharePoint worker processes
  • Authentication anomalies

Network Indicators:

  • Unusual outbound connections from SharePoint servers
  • Suspicious PowerShell or command execution patterns

SIEM Query:

source="sharepoint" AND (event_id="6398" OR process_name="powershell.exe")

📊 Metadata

CVE ID: CVE-2024-21318
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: January 9, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21318, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)