Critical SharePoint RCE Vulnerability Exploited via Malicious XML in Web Part

A severe remote code execution (RCE) vulnerability has been discovered in Microsoft SharePoint that allows attackers to execute arbitrary code through malicious XML content embedded within web parts.

According to the recent report, the vulnerability, which affects the deserialization process of webpart properties, represents a significant security risk for organizations running vulnerable SharePoint installations.

Technical Details of the Vulnerability

The vulnerability originates in SharePoint’s web part control parsing process, specifically within the Microsoft.SharePoint.WebPartPages.WebPart.AddParsedSubObject() method.

The attack vector begins when the system processes XML content within web part controls, triggering a dangerous deserialization chain that ultimately leads to remote code execution.

The exploitation path follows a predictable sequence through SharePoint’s internal architecture. When a web part contains XML content, the AddParsedSubObject() method processes LiteralControl text and parses it as XML.

This parsed content then undergoes deserialization through WebPart.ParseXml(), which utilizes XmlSerializer to reconstruct the web part object before executing post-deserialization tasks.

The critical weakness lies in the WebPart.GetAttachedProperties() method, where SharePoint deserializes the _serializedAttachedPropertiesShared field using the SPObjectStateFormatter class.

This formatter, which serves as SharePoint’s version of ObjectStateFormatter, eventually employs BinaryFormatter for deserialization operations.

The vulnerability becomes exploitable through SharePoint’s SPSerializationBinder, which permits binary deserialization of any class listed in SafeControls.

Attackers can leverage the Microsoft.SharePoint.ApplicationPages.SPThemes class, which implements DataSet and utilizes its serialization constructor, making it an ideal gadget for exploitation.

To weaponize this vulnerability, attackers create malicious web parts containing specially crafted XML with embedded serialized payloads in the AttachedPropertiesShared element.

The malicious web part structure includes a base64-encoded payload that, when processed by SharePoint’s deserialization mechanisms, triggers arbitrary code execution.

Attack Vector and Impact

The vulnerability can be exploited through multiple endpoints, including the /_vti_bin/webpartpages.asmx service using the ConvertWebPartFormat SOAP action.

Attackers can submit malicious XML payloads through HTTP POST requests, making remote exploitation feasible without requiring authenticated access to SharePoint administration interfaces.

The impact of successful exploitation is severe, as it grants attackers complete control over the affected SharePoint server.

This includes the ability to access sensitive corporate data, modify SharePoint configurations, and potentially pivot to other systems within the network infrastructure.

The vulnerability has been reportedly patched in recent SharePoint updates, though the specific CVE identifier and affected version ranges remain unclear.

Organizations should immediately update their SharePoint installations to the latest available versions and implement network-level protections to restrict access to SharePoint web services.

 Regular security assessments and monitoring for suspicious web part modifications are also recommended as part of a comprehensive security strategy.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now