Login Sign Up

CVE-2025-30384

7.4 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows remote code execution on Microsoft SharePoint servers through deserialization of untrusted data. Attackers can execute arbitrary code with the privileges of the SharePoint application pool account. Organizations running vulnerable SharePoint installations are affected.

💻 Affected Systems

Products:
  • Microsoft SharePoint Server
Versions: Specific versions to be confirmed via Microsoft advisory
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: All default SharePoint configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of SharePoint server leading to domain escalation, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Unauthenticated remote code execution resulting in data theft, ransomware deployment, or lateral movement within the network.

🟢

If Mitigated

Attack blocked at network perimeter or detected before successful exploitation.

🌐 Internet-Facing: HIGH - SharePoint servers often exposed to internet for collaboration, making them prime targets.
🏢 Internal Only: MEDIUM - Internal attackers or compromised devices could exploit this for lateral movement.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Deserialization vulnerabilities typically have low exploitation complexity once details are public.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: To be determined from Microsoft Security Update

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30384

Restart Required: Yes

Instructions:

1. Check Microsoft Security Update for CVE-2025-30384. 2. Download appropriate patch for your SharePoint version. 3. Apply patch following Microsoft's instructions. 4. Restart SharePoint services or server as required.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to SharePoint servers to only trusted sources

Application Whitelisting

windows

Implement application control to prevent unauthorized code execution

🧯 If You Can't Patch

  • Isolate SharePoint servers in separate network segments with strict firewall rules
  • Implement web application firewall with deserialization attack detection rules

🔍 How to Verify

Check if Vulnerable:

Check SharePoint version against Microsoft's affected versions list in the advisory

Check Version:

Get-SPProduct -Local on SharePoint PowerShell

Verify Fix Applied:

Verify patch installation via Windows Update history or SharePoint version check

📡 Detection & Monitoring

Log Indicators:

  • Unusual deserialization errors in SharePoint logs
  • Unexpected process creation from w3wp.exe

Network Indicators:

  • Malformed serialized objects in HTTP requests to SharePoint
  • Unusual outbound connections from SharePoint server

SIEM Query:

source="SharePoint" AND ("deserialization" OR "TypeConfusion" OR "BinaryFormatter")

📊 Metadata

CVE ID: CVE-2025-30384
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
EPSS Score: 1.65% exploit probability (81.7th percentile)
Published: May 13, 2025
Last Updated: May 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30384, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)