{"id":19696,"date":"2025-04-08T11:19:40","date_gmt":"2025-04-08T11:19:40","guid":{"rendered":""},"modified":"2025-08-31T02:30:45","modified_gmt":"2025-08-31T08:30:45","slug":"cve-2024-21318-remote-code-execution-in-microsoft-sharepoint-server-via-deserialization","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2024-21318-remote-code-execution-in-microsoft-sharepoint-server-via-deserialization\/","title":{"rendered":"CVE-2024-21318: Remote Code Execution in Microsoft SharePoint Server via Deserialization"},"content":{"rendered":"<p class=\"\" data-start=\"94\" data-end=\"119\"><strong data-start=\"94\" data-end=\"119\">Vulnerability Summary<\/strong><\/p>\n<ul data-start=\"121\" data-end=\"356\">\n<li class=\"\" data-start=\"121\" data-end=\"151\">\n<p class=\"\" data-start=\"123\" data-end=\"151\"><strong data-start=\"123\" data-end=\"134\">CVE ID:<\/strong> CVE-2024-21318<\/p>\n<\/li>\n<li class=\"\" data-start=\"152\" data-end=\"192\">\n<p class=\"\" data-start=\"154\" data-end=\"192\"><strong data-start=\"154\" data-end=\"167\">Severity:<\/strong> High (CVSS Score: 8.8)<\/p>\n<\/li>\n<li class=\"\" data-start=\"193\" data-end=\"223\">\n<p class=\"\" data-start=\"195\" data-end=\"223\"><strong data-start=\"195\" data-end=\"213\"><\/strong><a href=\"https:\/\/www.ameeba.com\/blog\/local-hospital-network-grapples-with-major-tech-outage-a-cybersecurity-attack-case-study\/\"  data-wpil-monitor-id=\"76265\">Attack Vector: Network<\/a><\/p>\n<\/li>\n<li class=\"\" data-start=\"224\" data-end=\"281\">\n<p class=\"\" data-start=\"226\" data-end=\"281\"><strong data-start=\"226\" data-end=\"250\">Privileges Required:<\/strong> Low (Site Owner permissions)<\/p>\n<\/li>\n<li class=\"\" data-start=\"282\" data-end=\"312\">\n<p class=\"\" data-start=\"284\" data-end=\"312\"><strong data-start=\"284\" data-end=\"305\">User Interaction:<\/strong> None<\/p>\n<\/li>\n<li class=\"\" data-start=\"313\" data-end=\"356\">\n<p class=\"\" data-start=\"315\" data-end=\"356\"><strong data-start=\"315\" data-end=\"326\">Impact:<\/strong> <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-29048-remote-code-execution-via-oxmf-template-injection-in-open-xchange-app-suite\/\"  data-wpil-monitor-id=\"24539\">Remote Code Execution<\/a> (RCE)<\/p>\n<\/li>\n<\/ul>\n<p class=\"\" data-start=\"358\" data-end=\"379\"><strong data-start=\"358\" data-end=\"379\">Affected Products<\/strong><\/p>\n<div class=\"pointer-events-none relative left-[50%] flex w-[100cqw] translate-x-[-50%] justify-center *:pointer-events-auto\">\n<div class=\"tableContainer horzScrollShadows\">\n<table class=\"min-w-full\" data-start=\"381\" data-end=\"629\">\n<thead data-start=\"381\" data-end=\"410\">\n<tr data-start=\"381\" data-end=\"410\">\n<th data-start=\"381\" data-end=\"389\">Product<\/th>\n<th data-start=\"389\" data-end=\"410\">Affected Versions<\/th>\n<\/tr>\n<\/thead>\n<tbody data-start=\"442\" data-end=\"629\">\n<tr data-start=\"442\" data-end=\"508\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"442\" data-end=\"481\">SharePoint Server Subscription Edition<\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"481\" data-end=\"508\">Before Jan 2024 updates<\/td>\n<\/tr>\n<tr data-start=\"509\" data-end=\"559\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"509\" data-end=\"532\">SharePoint Server 2019<\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"532\" data-end=\"559\">Before Jan 2024 updates<\/td>\n<\/tr>\n<tr data-start=\"560\" data-end=\"629\">\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)] min-w-[calc(var(--thread-content-max-width)\/3)]\" data-start=\"560\" data-end=\"602\">SharePoint Server 2016 <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-30749-oracle-java-se-and-graalvm-enterprise-edition-high-risk-vulnerability\/\"  data-wpil-monitor-id=\"76264\">Enterprise Edition<\/a><\/td>\n<td class=\"max-w-[calc(var(--thread-content-max-width)*2\/3)]\" data-start=\"602\" data-end=\"629\">Before Jan 2024 updates<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p class=\"\" data-start=\"631\" data-end=\"656\"><strong data-start=\"631\" data-end=\"656\">How the Exploit Works<\/strong><\/p>\n<p class=\"\" data-start=\"658\" data-end=\"1107\">CVE-2024-21318 is a remote code execution <a class=\"wpil_keyword_link\" href=\"https:\/\/ameeba.com\"   title=\"vulnerability\" data-wpil-keyword-link=\"linked\"  data-wpil-monitor-id=\"24324\">vulnerability<\/a> in Microsoft SharePoint Server. The flaw stems from improper <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-32569-critical-deserialization-of-untrusted-data-vulnerability-in-tableon-wordpress-plugin\/\"  data-wpil-monitor-id=\"32314\">deserialization of untrusted data<\/a> (CWE-502), which can occur when a Site Owner sends specially crafted input to a vulnerable API endpoint. If processed without sufficient validation, this input can trigger deserialization of malicious objects, leading to arbitrary <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-22937-critical-remote-code-execution-vulnerability\/\"  data-wpil-monitor-id=\"24866\">code execution<\/a> under the context of the SharePoint service process.<\/p>\n<p class=\"\" data-start=\"1109\" data-end=\"1136\"><strong data-start=\"1109\" data-end=\"1136\">Conceptual Example Code<\/strong><\/p><div id=\"ameeb-3765650290\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p class=\"\" data-start=\"1138\" data-end=\"1264\">A hypothetical exploit could look like this, illustrating how a malicious <a class=\"wpil_keyword_link\" href=\"https:\/\/www.ameeba.com\"   title=\"payload\" data-wpil-keyword-link=\"linked\"  data-wpil-monitor-id=\"24323\">payload<\/a> might be injected into a SharePoint request:<\/p>\n<div class=\"contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary\">\n<div class=\"overflow-y-auto p-4\" dir=\"ltr\"><code class=\"\" data-line=\"\">POST \/_layouts\/15\/ProcessBatchData.aspx HTTP\/1.1<br \/>\nHost: vulnerable-sharepoint.local<br \/>\nContent-Type: application\/xml<\/p>\n<p>&lt;Batch&gt;<br \/>\n  &lt;Method ID=&quot;1&quot; Cmd=&quot;New&quot;&gt;<br \/>\n    &lt;Field Name=&quot;ID&quot;&gt;1&lt;\/Field&gt;<br \/>\n    &lt;Field Name=&quot;Title&quot;&gt;Exploit&lt;\/Field&gt;<br \/>\n    &lt;Field Name=&quot;Payload&quot;&gt;&lt;![CDATA[&lt;malicious_serialized_object&gt;]]&gt;&lt;\/Field&gt;<br \/>\n  &lt;\/Method&gt;<br \/>\n&lt;\/Batch&gt;<br \/>\n<\/code><\/div>\n<\/div>\n<p class=\"\" data-start=\"1597\" data-end=\"1733\">The <code class=\"\" data-line=\"\">Payload<\/code> field here is assumed to contain a serialized object designed to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-52030-critical-remote-code-execution-vulnerability-in-totolink-a3700r\/\"  data-wpil-monitor-id=\"25057\">execute code<\/a> when deserialized improperly by the backend.<\/p>\n<p class=\"\" data-start=\"1735\" data-end=\"1754\"><strong data-start=\"1735\" data-end=\"1754\">Potential Risks<\/strong><\/p>\n<ul data-start=\"1756\" data-end=\"1951\">\n<li class=\"\" data-start=\"1756\" data-end=\"1812\">\n<p class=\"\" data-start=\"1758\" data-end=\"1812\"><a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-39336-a-deep-dive-into-the-remote-code-execution-vulnerability\/\"  data-wpil-monitor-id=\"25317\">Execution of arbitrary code<\/a> on the SharePoint Server<\/p>\n<\/li>\n<li class=\"\" data-start=\"1813\" data-end=\"1861\">\n<p class=\"\" data-start=\"1815\" data-end=\"1861\">Lateral movement within the internal network<\/p>\n<\/li>\n<li class=\"\" data-start=\"1862\" data-end=\"1900\">\n<p class=\"\" data-start=\"1864\" data-end=\"1900\"><a href=\"https:\/\/www.ameeba.com\/blog\/doge-s-access-to-federal-data-a-cybersecurity-concern\/\"  data-wpil-monitor-id=\"38426\">Access to sensitive corporate data<\/a><\/p>\n<\/li>\n<li class=\"\" data-start=\"1901\" data-end=\"1951\">\n<p class=\"\" data-start=\"1903\" data-end=\"1951\">Service disruption and possible <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-50930-cross-site-request-forgery-csrf-in-savignano-s-notify-leading-to-configuration-tampering-and-potential-data-leakage\/\"  data-wpil-monitor-id=\"32030\">data tampering<\/a><\/p>\n<\/li>\n<\/ul>\n<p class=\"\" data-start=\"1953\" data-end=\"1983\"><strong data-start=\"1953\" data-end=\"1983\">Mitigation Recommendations<\/strong><\/p>\n<ul data-start=\"1985\" data-end=\"2479\">\n<li class=\"\" data-start=\"1985\" data-end=\"2137\">\n<p class=\"\" data-start=\"1987\" data-end=\"2019\"><strong data-start=\"1987\" data-end=\"2017\">Apply Updates Immediately:<\/strong><\/p>\n<ul data-start=\"2022\" data-end=\"2137\">\n<li class=\"\" data-start=\"2022\" data-end=\"2057\">\n<p class=\"\" data-start=\"2024\" data-end=\"2057\">SharePoint Server SE: KB5002540<\/p>\n<\/li>\n<li class=\"\" data-start=\"2060\" data-end=\"2097\">\n<p class=\"\" data-start=\"2062\" data-end=\"2097\">SharePoint Server 2019: KB5002539<\/p>\n<\/li>\n<li class=\"\" data-start=\"2100\" data-end=\"2137\">\n<p class=\"\" data-start=\"2102\" data-end=\"2137\">SharePoint Server 2016: KB5002541<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li class=\"\" data-start=\"2139\" data-end=\"2244\">\n<p class=\"\" data-start=\"2141\" data-end=\"2244\"><strong data-start=\"2141\" data-end=\"2177\">Restrict Site Owner Permissions:<\/strong> Only assign elevated SharePoint <a href=\"https:\/\/www.ameeba.com\/blog\/the-ai-battle-in-cybersecurity-the-paramount-role-of-trust-as-a-defense-system\/\"  data-wpil-monitor-id=\"25195\">roles to trusted<\/a> administrators.<\/p>\n<\/li>\n<li class=\"\" data-start=\"2245\" data-end=\"2372\">\n<p class=\"\" data-start=\"2247\" data-end=\"2372\"><strong data-start=\"2247\" data-end=\"2272\">Segment Your Network:<\/strong> Ensure <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-31214-a-critical-network-traffic-interception-vulnerability-in-ios-and-ipados\/\"  data-wpil-monitor-id=\"76266\">SharePoint<\/a> systems are isolated from external exposure and monitored for abnormal traffic.<\/p>\n<\/li>\n<li class=\"\" data-start=\"2373\" data-end=\"2479\">\n<p class=\"\" data-start=\"2375\" data-end=\"2479\"><strong data-start=\"2375\" data-end=\"2402\">Audit and Monitor Logs:<\/strong> Look for suspicious activity, especially new or unexpected batch requests.<\/p>\n<\/li>\n<\/ul>\n<p class=\"\" data-start=\"2481\" data-end=\"2495\"><strong data-start=\"2481\" data-end=\"2495\">Conclusion<\/strong><\/p>\n<p class=\"\" data-start=\"2497\" data-end=\"2888\">CVE-2024-21318 <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-23176-sql-injection-vulnerability-poses-serious-threat-to-data-security\/\"  data-wpil-monitor-id=\"39960\">poses a serious threat<\/a> to organizations relying on Microsoft SharePoint for collaboration and document management. While the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-40250-critical-authentication-bypass-vulnerability-in-web-applications\/\"  data-wpil-monitor-id=\"26473\">vulnerability requires authenticated<\/a> access with Site Owner permissions, exploitation can lead to full system compromise. Administrators should apply patches released in January 2024 and implement <a class=\"wpil_keyword_link\" href=\"https:\/\/chat.ameeba.com\"   title=\"security\" data-wpil-keyword-link=\"linked\"  data-wpil-monitor-id=\"24325\">security<\/a> best practices to defend against this vector.<\/p>\n<p class=\"\" data-start=\"2890\" data-end=\"2904\"><strong data-start=\"2890\" data-end=\"2904\">References<\/strong><\/p>\n<ul data-start=\"2906\" data-end=\"3265\">\n<li class=\"\" data-start=\"2906\" data-end=\"3015\">\n<p class=\"\" data-start=\"2908\" data-end=\"3015\"><a class=\"\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-21318\" target=\"_new\" rel=\"noopener\" data-start=\"2908\" data-end=\"3013\">Microsoft CVE-2024-21318 Advisory<\/a><\/p>\n<\/li>\n<li class=\"\" data-start=\"3016\" data-end=\"3099\">\n<p class=\"\" data-start=\"3018\" data-end=\"3099\"><a class=\"\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-21318\" target=\"_new\" rel=\"noopener\" data-start=\"3018\" data-end=\"3097\">NVD Entry for CVE-2024-21318<\/a><\/p>\n<\/li>\n<li class=\"\" data-start=\"3100\" data-end=\"3198\">\n<p class=\"\" data-start=\"3102\" data-end=\"3198\"><a target=\"_new\" rel=\"noopener\" data-start=\"3102\" data-end=\"3196\">Rapid7 Report<\/a><\/p>\n<\/li>\n<li class=\"\" data-start=\"3199\" data-end=\"3265\">\n<p class=\"\" data-start=\"3201\" data-end=\"3265\"><a target=\"_new\" rel=\"noopener\" data-start=\"3201\" data-end=\"3263\">Tenable Analysis<\/a><\/p>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Vulnerability Summary CVE ID: CVE-2024-21318 Severity: High (CVSS Score: 8.8) Attack Vector: Network Privileges Required: Low (Site Owner permissions) User Interaction: None Impact: Remote Code Execution (RCE) Affected Products Product Affected Versions SharePoint Server Subscription Edition Before Jan 2024 updates SharePoint Server 2019 Before Jan 2024 updates SharePoint Server 2016 Enterprise Edition Before Jan 2024 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[82],"product":[],"attack_vector":[80],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-19696","post","type-post","status-publish","format-standard","hentry","category-uncategorized","vendor-microsoft","attack_vector-rce"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/19696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=19696"}],"version-history":[{"count":22,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/19696\/revisions"}],"predecessor-version":[{"id":68728,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/19696\/revisions\/68728"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=19696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=19696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=19696"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=19696"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=19696"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=19696"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=19696"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=19696"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=19696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}