Impact
Deserialization of untrusted data in Microsoft Office SharePoint enables an authorized attacker to execute code over the network. The flaw maps to CWE-502, indicating unsafe deserialization of external data. The consequence is a full compromise of the SharePoint server, allowing the attacker to run arbitrary code with the privileges of the executing account.
Affected Systems
Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition are affected. Version details are not supplied, so it is unclear whether the vulnerability is limited to specific releases.
Risk and Exploitability
The vulnerability carries a high severity CVSS score of 8.8. The EPSS score of 3 % (≈0.03) indicates a low exploitation probability. The vulnerability was recently added to the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is an authenticated SharePoint user who uploads or manipulates data that will be deserialized by the server. An attacker could therefore immediately gain code execution on the SharePoint web server or services running under its context.
OpenCVE Enrichment