CVE-2024-38094: Microsoft SharePoint RCE via Deserialization
An authenticated deserialization flaw in SharePoint Server chained with privilege escalation to achieve full Active Directory domain compromise, added to CISA KEV after ransomware operators confirmed exploitation

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2024-38094 is a deserialization remote code execution vulnerability in Microsoft SharePoint Server patched in July 2024. While the CVSS score of 7.2 reflects the Site Owner authentication requirement, real-world exploitation demonstrated a more severe impact: attackers chained it with CVE-2024-38023 (privilege escalation) to progress from lower-privilege access to full Active Directory domain compromise in observed incidents. CISA's October 2024 KEV addition confirmed active ransomware operator exploitation.
Deserialization in SharePoint: Technical Root Cause
SharePoint Server processes .NET serialized objects as part of its workflow engine and API functionality. CVE-2024-38094 involves unsafe deserialization of attacker-controlled data in SharePoint's server-side processing, reachable by an authenticated user with Site Owner permissions.
.NET deserialization attacks exploit gadget chains, sequences of existing .NET classes that, when deserialized in a specific order, execute arbitrary commands. SharePoint's IIS-hosted application pool context means the resulting execution carries the permissions of the SharePoint application pool account, which is typically highly privileged within Active Directory.
Microsoft's advisory describes the vulnerability as requiring network access and Site Owner authentication but granting code execution on the server, a description consistent with a deserialization gadget chain reachable through SharePoint's API surface.
The Privilege Chaining Problem
The CVSS 7.2 score reflects the authentication barrier, but that barrier was bypassed in the wild by chaining with CVE-2024-38023, a second SharePoint vulnerability in the same July 2024 patch cycle that allowed privilege escalation to Site Owner from lower permission levels.
The combined chain:
- Attacker compromises any account with basic SharePoint access (common through phishing)
- CVE-2024-38023 escalates that access to Site Owner
- CVE-2024-38094 achieves RCE on the SharePoint server as the IIS app pool identity
- The SharePoint server's AD integration and service account privileges enable lateral movement
- Domain Admin credentials extracted via credential dumping on the domain-joined server
This pattern, two moderate-severity authenticated vulnerabilities chained to achieve domain compromise, highlights why patch velocity for enterprise collaboration platforms must match that applied to network perimeter devices.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Attack Chain
Full exploitation sequence from initial access to domain compromise:
Initial Credential Compromise
Attacker obtains SharePoint credentials via phishing, credential stuffing, or a prior compromise, any account with SharePoint access is sufficient as a starting point.
Privilege Escalation to Site Owner (CVE-2024-38023)
Using the lower-privilege account, attacker exploits CVE-2024-38023 to escalate permissions to Site Owner level within a SharePoint site collection.
Deserialization RCE (CVE-2024-38094)
With Site Owner access, attacker sends crafted API request containing a malicious .NET serialized object. SharePoint deserializes it and executes attacker code as the IIS application pool identity.
Credential Harvesting on SharePoint Server
Code execution on the domain-joined SharePoint server enables credential dumping via LSASS access or other techniques, targeting the privileged service accounts SharePoint uses.
Domain Compromise and Lateral Movement
Harvested domain credentials enable full Active Directory compromise and unrestricted lateral movement across the organization's network.
Detection
Indicators for CVE-2024-38094 exploitation:
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Remediation
Priority steps:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2024-38094 illustrates why CVSS scores are a floor, not a ceiling, for risk assessment. A 7.2 'High' vulnerability in SharePoint, AD-integrated, service-account-privileged, domain-joined infrastructure, chains trivially to domain compromise when combined with a second moderate vulnerability. Enterprise collaboration platforms deserve the same patch urgency applied to network perimeter devices. The October 2024 CISA KEV addition confirms this is not a theoretical concern.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
Does CVE-2024-38094 affect SharePoint Online (Microsoft 365)?
No. CVE-2024-38094 only affects on-premises SharePoint Server installations (2016, 2019, Subscription Edition). SharePoint Online is a cloud service managed by Microsoft that runs a different code base and is not affected.
Why is the CVSS score 7.2 if the real-world impact is domain compromise?
The CVSS 7.2 score reflects the authentication requirement (Site Owner) which reduces the base score compared to unauthenticated vulnerabilities. CVSS scores measure the vulnerability in isolation, they do not capture chaining with privilege escalation or the elevated real-world impact of compromising SharePoint's AD-integrated server context. Always evaluate vulnerabilities in context, not CVSS score alone.
What other CVEs were chained with CVE-2024-38094 in the wild?
Attackers chained CVE-2024-38094 with CVE-2024-38023, a SharePoint privilege escalation vulnerability patched in the same July 2024 update cycle. CVE-2024-38023 allowed escalation to Site Owner level from lower permissions, completing a chain from lower-privilege access to RCE to domain compromise.
How does unsafe .NET deserialization lead to code execution in SharePoint?
Unsafe .NET deserialization exploits the fact that reconstructing a .NET object from serialized data can trigger arbitrary code execution through gadget chains, sequences of existing .NET classes that, when instantiated or invoked during deserialization, produce a chain of method calls leading to OS command execution. Tools like ysoserial.net enumerate known .NET gadget chains (such as those involving ObjectDataProvider, TypeConfuseDelegate, and WindowsIdentity) that work in specific .NET framework contexts. When SharePoint deserializes attacker-controlled data containing such a gadget chain, the deserialization process itself executes the injected commands as the IIS application pool identity without any additional interaction.
Why does SharePoint's Active Directory integration make this RCE especially dangerous?
SharePoint Server is deeply integrated with Active Directory: it runs under a domain service account, uses AD for user authentication and authorization, and the IIS application pool account typically has read access to broad AD objects and, in many deployments, is granted elevated permissions like 'Manage Lists' or even local admin rights on the server. Code execution under the SharePoint service account context provides immediate access to AD enumeration, and the domain-joined SharePoint server's OS-level access enables credential dumping techniques targeting LSASS, which stores cached Kerberos tickets and NTLM credential material for domain accounts that have recently authenticated. This is the path from SharePoint RCE to domain compromise in the observed attack chain.
Should organizations prioritize CVE-2024-38094 patching even with its CVSS 7.2 score?
Yes. The CVSS 7.2 score reflects only the isolated authentication requirement and does not capture the real-world chained impact. CVSS scores measure a vulnerability in isolation; they cannot account for how it combines with other vulnerabilities or how the target system's AD-integrated, privileged position amplifies the blast radius. CISA's October 2024 addition to the [Known Exploited Vulnerabilities catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) confirms active ransomware exploitation, which is the operationally relevant risk signal. SharePoint Server patches should receive the same urgency as network perimeter device patches given its AD integration and service account privileges.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
