{"id":19696,"date":"2025-04-08T11:19:40","date_gmt":"2025-04-08T11:19:40","guid":{"rendered":""},"modified":"2025-08-31T02:30:45","modified_gmt":"2025-08-31T08:30:45","slug":"cve-2024-21318-remote-code-execution-in-microsoft-sharepoint-server-via-deserialization","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2024-21318-remote-code-execution-in-microsoft-sharepoint-server-via-deserialization\/","title":{"rendered":"CVE-2024-21318: Remote Code Execution in Microsoft SharePoint Server via Deserialization"},"content":{"rendered":"<p class=\"\" data-start=\"94\" data-end=\"119\"><strong data-start=\"94\" data-end=\"119\">Vulnerability Summary<\/strong><\/p>\n<ul data-start=\"121\" data-end=\"356\">\n<li class=\"\" data-start=\"121\" data-end=\"151\">\n<p class=\"\" data-start=\"123\" data-end=\"151\"><strong data-start=\"123\" data-end=\"134\">CVE ID:<\/strong> CVE-2024-21318<\/p>\n<\/li>\n<li class=\"\" data-start=\"152\" data-end=\"192\">\n<p class=\"\" data-start=\"154\" data-end=\"192\"><strong data-start=\"154\" data-end=\"167\">Severity:<\/strong> High (CVSS Score: 8.8)<\/p>\n<\/li>\n<li class=\"\" data-start=\"193\" data-end=\"223\">\n<p class=\"\" data-start=\"195\" data-end=\"223\"><strong data-start=\"195\" data-end=\"213\"><\/strong><a href=\"https:\/\/www.ameeba.com\/blog\/local-hospital-network-grapples-with-major-tech-outage-a-cybersecurity-attack-case-study\/\"  data-wpil-monitor-id=\"76265\">Attack Vector: Network<\/a><\/p>\n<\/li>\n<li class=\"\" data-start=\"224\" data-end=\"281\">\n<p class=\"\" data-start=\"226\" data-end=\"281\"><strong data-start=\"226\" data-end=\"250\">Privileges Required:<\/strong> Low (Site Owner permissions)<\/p>\n<\/li>\n<li class=\"\" data-start=\"282\" data-end=\"312\">\n<p class=\"\" data-start=\"284\" data-end=\"312\"><strong data-start=\"284\" data-end=\"305\">User Interaction:<\/strong> None<\/p>\n<\/li>\n<li class=\"\" data-start=\"313\" data-end=\"356\">\n<p class=\"\" data-start=\"315\" data-end=\"356\"><strong data-start=\"315\" data-end=\"326\">Impact:<\/strong> <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-29048-remote-code-execution-via-oxmf-template-injection-in-open-xchange-app-suite\/\"  data-wpil-monitor-id=\"24539\">Remote Code Execution<\/a> (RCE)<\/p>\n<\/li>\n<\/ul>\n<p class=\"\" data-start=\"358\" data-end=\"379\"><strong data-start=\"358\" data-end=\"379\">Affected Products<\/strong><\/p>\n<div class=\"pointer-events-none relative left-[50%] flex w-[100cqw] translate-x-[-50%] justify-center *:pointer-events-auto\">\n<div class=\"tableContainer horzScrollShadows\">\n<table class=\"min-w-full\" data-start=\"381\" data-end=\"629\">\n<thead data-start=\"381\" data-end=\"410\">\n<tr data-start=\"381\" data-end=\"410\">\n<th data-start=\"381\" data-end=\"389\">Product<\/th>\n<th data-start=\"389\" data-end=\"410\">Affected Versions<\/th>\n<\/tr>\n<\/thead>\n<tbody data-start=\"442\" data-end=\"629\">\n<tr data-start=\"442\" data-end=\"508\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"442\" data-end=\"481\">SharePoint Server Subscription Edition<\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"481\" data-end=\"508\">Before Jan 2024 updates<\/td>\n<\/tr>\n<tr data-start=\"509\" data-end=\"559\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"509\" data-end=\"532\">SharePoint Server 2019<\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"532\" data-end=\"559\">Before Jan 2024 updates<\/td>\n<\/tr>\n<tr data-start=\"560\" data-end=\"629\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)] min-w-[calc(var(--thread-content-max-width)\/3)]\" data-start=\"560\" data-end=\"602\">SharePoint Server 2016 <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-30749-oracle-java-se-and-graalvm-enterprise-edition-high-risk-vulnerability\/\"  data-wpil-monitor-id=\"76264\">Enterprise Edition<\/a><\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"602\" data-end=\"629\">Before Jan 2024 updates<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p class=\"\" data-start=\"631\" data-end=\"656\"><strong data-start=\"631\" data-end=\"656\">How the Exploit Works<\/strong><\/p>\n<p class=\"\" data-start=\"658\" data-end=\"1107\">CVE-2024-21318 is a remote code execution <a class=\"wpil_keyword_link\" href=\"https:\/\/ameeba.com\"   title=\"vulnerability\" data-wpil-keyword-link=\"linked\"  data-wpil-monitor-id=\"24324\">vulnerability<\/a> in Microsoft SharePoint Server. The flaw stems from improper <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-32569-critical-deserialization-of-untrusted-data-vulnerability-in-tableon-wordpress-plugin\/\"  data-wpil-monitor-id=\"32314\">deserialization of untrusted data<\/a> (CWE-502), which can occur when a Site Owner sends specially crafted input to a vulnerable API endpoint. If processed without sufficient validation, this input can trigger deserialization of malicious objects, leading to arbitrary <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-22937-critical-remote-code-execution-vulnerability\/\"  data-wpil-monitor-id=\"24866\">code execution<\/a> under the context of the SharePoint service process.<\/p>\n<p class=\"\" data-start=\"1109\" data-end=\"1136\"><strong data-start=\"1109\" data-end=\"1136\">Conceptual Example Code<\/strong><\/p><div id=\"ameeb-612736333\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 720px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 22px; font-weight: 600; display: flex; align-items: center; letter-spacing: -0.02em;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 10px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 42px; height: 42px;\" \/>\r\n    <\/a>\r\n    Share secrets securely\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 14px; color: #d1d5db;\">\r\n    Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 18px; color: #a1a1aa;\">\r\n    Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 24px; color: #e4e4e7;\">\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Encrypted identity<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Private Spaces for organizations and teams<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 End-to-end encrypted chat, calls, files, and notes<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Sensitive AI work and protected collaboration<\/li>\r\n    <li>\u2022 Built for information that cannot leak<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px; color: #ffffff;\">\r\n    Our mission is to secure human work alongside AI.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 8px; font-weight: 500;\">\r\n      Download Ameeba\r\n    <\/a>\r\n\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 8px; font-weight: 500;\">\r\n      Learn More\r\n    <\/a>\r\n  <\/div>\r\n<\/div><\/div>\n<p class=\"\" data-start=\"1138\" data-end=\"1264\">A hypothetical exploit could look like this, illustrating how a malicious <a class=\"wpil_keyword_link\" href=\"https:\/\/www.ameeba.com\"   title=\"payload\" data-wpil-keyword-link=\"linked\"  data-wpil-monitor-id=\"24323\">payload<\/a> might be injected into a SharePoint request:<\/p>\n<div class=\"contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary\">\n<div class=\"overflow-y-auto p-4\" dir=\"ltr\"><code class=\"\" data-line=\"\">POST \/_layouts\/15\/ProcessBatchData.aspx HTTP\/1.1<br \/>\nHost: vulnerable-sharepoint.local<br \/>\nContent-Type: application\/xml<\/p>\n<p>&lt;Batch&gt;<br \/>\n  &lt;Method ID=&quot;1&quot; Cmd=&quot;New&quot;&gt;<br \/>\n    &lt;Field Name=&quot;ID&quot;&gt;1&lt;\/Field&gt;<br \/>\n    &lt;Field Name=&quot;Title&quot;&gt;Exploit&lt;\/Field&gt;<br \/>\n    &lt;Field Name=&quot;Payload&quot;&gt;&lt;![CDATA[&lt;malicious_serialized_object&gt;]]&gt;&lt;\/Field&gt;<br \/>\n  &lt;\/Method&gt;<br \/>\n&lt;\/Batch&gt;<br \/>\n<\/code><\/div>\n<\/div>\n<p class=\"\" data-start=\"1597\" data-end=\"1733\">The <code class=\"\" data-line=\"\">Payload<\/code> field here is assumed to contain a serialized object designed to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-52030-critical-remote-code-execution-vulnerability-in-totolink-a3700r\/\"  data-wpil-monitor-id=\"25057\">execute code<\/a> when deserialized improperly by the backend.<\/p>\n<p class=\"\" data-start=\"1735\" data-end=\"1754\"><strong data-start=\"1735\" data-end=\"1754\">Potential Risks<\/strong><\/p>\n<ul data-start=\"1756\" data-end=\"1951\">\n<li class=\"\" data-start=\"1756\" data-end=\"1812\">\n<p class=\"\" data-start=\"1758\" data-end=\"1812\"><a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-39336-a-deep-dive-into-the-remote-code-execution-vulnerability\/\"  data-wpil-monitor-id=\"25317\">Execution of arbitrary code<\/a> on the SharePoint Server<\/p>\n<\/li>\n<li class=\"\" data-start=\"1813\" data-end=\"1861\">\n<p class=\"\" data-start=\"1815\" data-end=\"1861\">Lateral movement within the internal network<\/p>\n<\/li>\n<li class=\"\" data-start=\"1862\" data-end=\"1900\">\n<p class=\"\" data-start=\"1864\" data-end=\"1900\"><a href=\"https:\/\/www.ameeba.com\/blog\/doge-s-access-to-federal-data-a-cybersecurity-concern\/\"  data-wpil-monitor-id=\"38426\">Access to sensitive corporate data<\/a><\/p>\n<\/li>\n<li class=\"\" data-start=\"1901\" data-end=\"1951\">\n<p class=\"\" data-start=\"1903\" data-end=\"1951\">Service disruption and possible <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-50930-cross-site-request-forgery-csrf-in-savignano-s-notify-leading-to-configuration-tampering-and-potential-data-leakage\/\"  data-wpil-monitor-id=\"32030\">data tampering<\/a><\/p>\n<\/li>\n<\/ul>\n<p class=\"\" data-start=\"1953\" data-end=\"1983\"><strong data-start=\"1953\" data-end=\"1983\">Mitigation Recommendations<\/strong><\/p>\n<ul data-start=\"1985\" data-end=\"2479\">\n<li class=\"\" data-start=\"1985\" data-end=\"2137\">\n<p class=\"\" data-start=\"1987\" data-end=\"2019\"><strong data-start=\"1987\" data-end=\"2017\">Apply Updates Immediately:<\/strong><\/p>\n<ul data-start=\"2022\" data-end=\"2137\">\n<li class=\"\" data-start=\"2022\" data-end=\"2057\">\n<p class=\"\" data-start=\"2024\" data-end=\"2057\">SharePoint Server SE: KB5002540<\/p>\n<\/li>\n<li class=\"\" data-start=\"2060\" data-end=\"2097\">\n<p class=\"\" data-start=\"2062\" data-end=\"2097\">SharePoint Server 2019: KB5002539<\/p>\n<\/li>\n<li class=\"\" data-start=\"2100\" data-end=\"2137\">\n<p class=\"\" data-start=\"2102\" data-end=\"2137\">SharePoint Server 2016: KB5002541<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li class=\"\" data-start=\"2139\" data-end=\"2244\">\n<p class=\"\" data-start=\"2141\" data-end=\"2244\"><strong data-start=\"2141\" data-end=\"2177\">Restrict Site Owner Permissions:<\/strong> Only assign elevated SharePoint <a href=\"https:\/\/www.ameeba.com\/blog\/the-ai-battle-in-cybersecurity-the-paramount-role-of-trust-as-a-defense-system\/\"  data-wpil-monitor-id=\"25195\">roles to trusted<\/a> administrators.<\/p>\n<\/li>\n<li class=\"\" data-start=\"2245\" data-end=\"2372\">\n<p class=\"\" data-start=\"2247\" data-end=\"2372\"><strong data-start=\"2247\" data-end=\"2272\">Segment Your Network:<\/strong> Ensure <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-31214-a-critical-network-traffic-interception-vulnerability-in-ios-and-ipados\/\"  data-wpil-monitor-id=\"76266\">SharePoint<\/a> systems are isolated from external exposure and monitored for abnormal traffic.<\/p>\n<\/li>\n<li class=\"\" data-start=\"2373\" data-end=\"2479\">\n<p class=\"\" data-start=\"2375\" data-end=\"2479\"><strong data-start=\"2375\" data-end=\"2402\">Audit and Monitor Logs:<\/strong> Look for suspicious activity, especially new or unexpected batch requests.<\/p>\n<\/li>\n<\/ul>\n<p class=\"\" data-start=\"2481\" data-end=\"2495\"><strong data-start=\"2481\" data-end=\"2495\">Conclusion<\/strong><\/p>\n<p class=\"\" data-start=\"2497\" data-end=\"2888\">CVE-2024-21318 <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-23176-sql-injection-vulnerability-poses-serious-threat-to-data-security\/\"  data-wpil-monitor-id=\"39960\">poses a serious threat<\/a> to organizations relying on Microsoft SharePoint for collaboration and document management. While the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-40250-critical-authentication-bypass-vulnerability-in-web-applications\/\"  data-wpil-monitor-id=\"26473\">vulnerability requires authenticated<\/a> access with Site Owner permissions, exploitation can lead to full system compromise. Administrators should apply patches released in January 2024 and implement <a class=\"wpil_keyword_link\" href=\"https:\/\/chat.ameeba.com\"   title=\"security\" data-wpil-keyword-link=\"linked\"  data-wpil-monitor-id=\"24325\">security<\/a> best practices to defend against this vector.<\/p>\n<p class=\"\" data-start=\"2890\" data-end=\"2904\"><strong data-start=\"2890\" data-end=\"2904\">References<\/strong><\/p>\n<ul data-start=\"2906\" data-end=\"3265\">\n<li class=\"\" data-start=\"2906\" data-end=\"3015\">\n<p class=\"\" data-start=\"2908\" data-end=\"3015\"><a class=\"\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-21318\" target=\"_new\" rel=\"noopener\" data-start=\"2908\" data-end=\"3013\">Microsoft CVE-2024-21318 Advisory<\/a><\/p>\n<\/li>\n<li class=\"\" data-start=\"3016\" data-end=\"3099\">\n<p class=\"\" data-start=\"3018\" data-end=\"3099\"><a class=\"\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-21318\" target=\"_new\" rel=\"noopener\" data-start=\"3018\" data-end=\"3097\">NVD Entry for CVE-2024-21318<\/a><\/p>\n<\/li>\n<li class=\"\" data-start=\"3100\" data-end=\"3198\">\n<p class=\"\" data-start=\"3102\" data-end=\"3198\"><a target=\"_new\" rel=\"noopener\" data-start=\"3102\" data-end=\"3196\">Rapid7 Report<\/a><\/p>\n<\/li>\n<li class=\"\" data-start=\"3199\" data-end=\"3265\">\n<p class=\"\" data-start=\"3201\" data-end=\"3265\"><a target=\"_new\" rel=\"noopener\" data-start=\"3201\" data-end=\"3263\">Tenable Analysis<\/a><\/p>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Vulnerability Summary CVE ID: CVE-2024-21318 Severity: High (CVSS Score: 8.8) Attack Vector: Network Privileges Required: Low (Site Owner permissions) User Interaction: None Impact: Remote Code Execution (RCE) Affected Products Product Affected Versions SharePoint Server Subscription Edition Before Jan 2024 updates SharePoint Server 2019 Before Jan 2024 updates SharePoint Server 2016 Enterprise Edition Before Jan 2024 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[82],"product":[],"attack_vector":[80],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-19696","post","type-post","status-publish","format-standard","hentry","category-uncategorized","vendor-microsoft","attack_vector-rce"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/19696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=19696"}],"version-history":[{"count":22,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/19696\/revisions"}],"predecessor-version":[{"id":68728,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/19696\/revisions\/68728"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=19696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=19696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=19696"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=19696"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=19696"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=19696"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=19696"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=19696"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=19696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}