CVE REFERENCE | HIGH SEVERITY
Active ThreatUpdated 9 min read

CVE-2024-38094: Microsoft SharePoint RCE via Deserialization

An authenticated deserialization flaw in SharePoint Server chained with privilege escalation to achieve full Active Directory domain compromise, added to CISA KEV after ransomware operators confirmed exploitation

7.2
CVSS Score
Site Owner
Permission level required
Oct 2024
CISA KEV added
Full AD
Observed post-exploitation impact

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2024-38094 is a deserialization remote code execution vulnerability in Microsoft SharePoint Server patched in July 2024. While the CVSS score of 7.2 reflects the Site Owner authentication requirement, real-world exploitation demonstrated a more severe impact: attackers chained it with CVE-2024-38023 (privilege escalation) to progress from lower-privilege access to full Active Directory domain compromise in observed incidents. CISA's October 2024 KEV addition confirmed active ransomware operator exploitation.

Deserialization in SharePoint: Technical Root Cause

SharePoint Server processes .NET serialized objects as part of its workflow engine and API functionality. CVE-2024-38094 involves unsafe deserialization of attacker-controlled data in SharePoint's server-side processing, reachable by an authenticated user with Site Owner permissions.

.NET deserialization attacks exploit gadget chains, sequences of existing .NET classes that, when deserialized in a specific order, execute arbitrary commands. SharePoint's IIS-hosted application pool context means the resulting execution carries the permissions of the SharePoint application pool account, which is typically highly privileged within Active Directory.

Microsoft's advisory describes the vulnerability as requiring network access and Site Owner authentication but granting code execution on the server, a description consistent with a deserialization gadget chain reachable through SharePoint's API surface.

The Privilege Chaining Problem

The CVSS 7.2 score reflects the authentication barrier, but that barrier was bypassed in the wild by chaining with CVE-2024-38023, a second SharePoint vulnerability in the same July 2024 patch cycle that allowed privilege escalation to Site Owner from lower permission levels.

The combined chain:

  1. Attacker compromises any account with basic SharePoint access (common through phishing)
  2. CVE-2024-38023 escalates that access to Site Owner
  3. CVE-2024-38094 achieves RCE on the SharePoint server as the IIS app pool identity
  4. The SharePoint server's AD integration and service account privileges enable lateral movement
  5. Domain Admin credentials extracted via credential dumping on the domain-joined server

This pattern, two moderate-severity authenticated vulnerabilities chained to achieve domain compromise, highlights why patch velocity for enterprise collaboration platforms must match that applied to network perimeter devices.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Attack Chain

Full exploitation sequence from initial access to domain compromise:

1

Initial Credential Compromise

Attacker obtains SharePoint credentials via phishing, credential stuffing, or a prior compromise, any account with SharePoint access is sufficient as a starting point.

2

Privilege Escalation to Site Owner (CVE-2024-38023)

Using the lower-privilege account, attacker exploits CVE-2024-38023 to escalate permissions to Site Owner level within a SharePoint site collection.

3

Deserialization RCE (CVE-2024-38094)

With Site Owner access, attacker sends crafted API request containing a malicious .NET serialized object. SharePoint deserializes it and executes attacker code as the IIS application pool identity.

4

Credential Harvesting on SharePoint Server

Code execution on the domain-joined SharePoint server enables credential dumping via LSASS access or other techniques, targeting the privileged service accounts SharePoint uses.

5

Domain Compromise and Lateral Movement

Harvested domain credentials enable full Active Directory compromise and unrestricted lateral movement across the organization's network.

Detection

Indicators for CVE-2024-38094 exploitation:

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Remediation

Priority steps:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2024-38094 illustrates why CVSS scores are a floor, not a ceiling, for risk assessment. A 7.2 'High' vulnerability in SharePoint, AD-integrated, service-account-privileged, domain-joined infrastructure, chains trivially to domain compromise when combined with a second moderate vulnerability. Enterprise collaboration platforms deserve the same patch urgency applied to network perimeter devices. The October 2024 CISA KEV addition confirms this is not a theoretical concern.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

Does CVE-2024-38094 affect SharePoint Online (Microsoft 365)?

No. CVE-2024-38094 only affects on-premises SharePoint Server installations (2016, 2019, Subscription Edition). SharePoint Online is a cloud service managed by Microsoft that runs a different code base and is not affected.

Why is the CVSS score 7.2 if the real-world impact is domain compromise?

The CVSS 7.2 score reflects the authentication requirement (Site Owner) which reduces the base score compared to unauthenticated vulnerabilities. CVSS scores measure the vulnerability in isolation, they do not capture chaining with privilege escalation or the elevated real-world impact of compromising SharePoint's AD-integrated server context. Always evaluate vulnerabilities in context, not CVSS score alone.

What other CVEs were chained with CVE-2024-38094 in the wild?

Attackers chained CVE-2024-38094 with CVE-2024-38023, a SharePoint privilege escalation vulnerability patched in the same July 2024 update cycle. CVE-2024-38023 allowed escalation to Site Owner level from lower permissions, completing a chain from lower-privilege access to RCE to domain compromise.

How does unsafe .NET deserialization lead to code execution in SharePoint?

Unsafe .NET deserialization exploits the fact that reconstructing a .NET object from serialized data can trigger arbitrary code execution through gadget chains, sequences of existing .NET classes that, when instantiated or invoked during deserialization, produce a chain of method calls leading to OS command execution. Tools like ysoserial.net enumerate known .NET gadget chains (such as those involving ObjectDataProvider, TypeConfuseDelegate, and WindowsIdentity) that work in specific .NET framework contexts. When SharePoint deserializes attacker-controlled data containing such a gadget chain, the deserialization process itself executes the injected commands as the IIS application pool identity without any additional interaction.

Why does SharePoint's Active Directory integration make this RCE especially dangerous?

SharePoint Server is deeply integrated with Active Directory: it runs under a domain service account, uses AD for user authentication and authorization, and the IIS application pool account typically has read access to broad AD objects and, in many deployments, is granted elevated permissions like 'Manage Lists' or even local admin rights on the server. Code execution under the SharePoint service account context provides immediate access to AD enumeration, and the domain-joined SharePoint server's OS-level access enables credential dumping techniques targeting LSASS, which stores cached Kerberos tickets and NTLM credential material for domain accounts that have recently authenticated. This is the path from SharePoint RCE to domain compromise in the observed attack chain.

Should organizations prioritize CVE-2024-38094 patching even with its CVSS 7.2 score?

Yes. The CVSS 7.2 score reflects only the isolated authentication requirement and does not capture the real-world chained impact. CVSS scores measure a vulnerability in isolation; they cannot account for how it combines with other vulnerabilities or how the target system's AD-integrated, privileged position amplifies the blast radius. CISA's October 2024 addition to the [Known Exploited Vulnerabilities catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) confirms active ransomware exploitation, which is the operationally relevant risk signal. SharePoint Server patches should receive the same urgency as network perimeter device patches given its AD integration and service account privileges.

Sources & references

  1. Microsoft Security Update Guide, CVE-2024-38094
  2. CISA Known Exploited Vulnerabilities Catalog
  3. Rapid7, CVE-2024-38094 Exploited in the Wild

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.