1. Executive Summary
CVE-2024-38094 is a Microsoft SharePoint Server remote code execution (RCE) vulnerability rooted in unsafe deserialisation (CWE-502) and scored 7.2 (High) under CVSS v3.1 by Microsoft. (NVD) It was addressed in Microsoft’s 9 July 2024 security updates for on-prem SharePoint releases, and later appeared in CISA’s Known Exploited Vulnerabilities (KEV) feed via NVD’s KEV enrichment, indicating observed exploitation. (Microsoft’s July 9, 2024 SharePoint 2016 update note, NVD)
Although exploitation requires authenticated “Site Owner” permissions, incident reporting demonstrates that real-world adversaries have used it as a foothold in broader intrusions, including web shell deployment and lateral movement. (Rapid7 IR field report) For defenders, this is less a “single-bug” risk and more a path to domain-wide compromise when SharePoint is exposed and monitoring is weak.
2. Contextual Background
2.1 Nature of the threat
- Vulnerability type: Deserialisation of untrusted data → potential RCE in SharePoint Server context (CWE-502). (NVD)
- Severity: CVSS v3.1 7.2 High (vector shows high impact but requires privileges). (NVD)
- Vendor advisory: Microsoft advisory for CVE-2024-38094 and NVD.
2.2 Threat-actor attribution
At the time of writing, credible public reporting does not attribute exploitation of CVE-2024-38094 to a named threat actor. Rapid7 characterises the intruder as an unidentified attacker and focuses on observed tradecraft rather than attribution. Confidence: Confirmed (no attribution available in cited reporting). (Rapid7 IR field report)
2.3 Sector and geographic targeting
Public reporting suggests the risk is broad wherever on-prem SharePoint is deployed (often internet-facing for collaboration), rather than confined to a single sector. Rapid7’s case study highlights how SharePoint can become an entry point to a wider Windows domain compromise. (Rapid7 IR field report)
3. Technical Analysis
3.1 Vulnerability / TTP detail with MITRE ATT&CK mapping
Observed exploitation pattern (field reporting):
- Rapid7 identified suspicious SharePoint activity consistent with exploitation and captured specific HTTP requests targeting SharePoint endpoints, followed by post-exploitation and defence evasion behaviours. (Rapid7 IR field report)
Likely attack chain (based on cited incident observations):
- Initial access: Exploit of public-facing SharePoint → foothold. (T1190)
- Web shell / server-side persistence: server-side script dropped/used (Rapid7 references a crafted path consistent with web shell-like behaviour). (T1505.003)
- Credential access: Evidence of Mimikatz activity in Rapid7’s investigation. (T1003)
- Defence evasion: Installing a third-party AV that disrupts existing security tooling (“Impair Defences”). (T1562)
- Lateral movement tooling: Use of Impacket (noted by Rapid7) and subsequent domain compromise in the case study. (T1047 is commonly associated with remote execution paths, and T1021 for remote services; exact mechanisms vary by environment.)
- Command and Control: Rapid7 notes use of a Fast Reverse Proxy (FRP)-style proxying approach. (T1090)
Note: Where specific sub-techniques (e.g., exact lateral movement protocol) are not explicitly detailed in public reporting, mappings above stay at the higher technique level.
3.2 Exploitation status
- Patched: Microsoft shipped fixes as part of July 2024 Patch Tuesday for on-prem SharePoint, including SharePoint Server Subscription Edition and SharePoint Server 2016. (SharePoint Subscription Edition July 9, 2024 update note, SharePoint 2016 July 9, 2024 update note)
- Evidence of active exploitation: NVD’s record shows the CVE is included in CISA KEV with Date Added: 22 Oct 2024 and Due Date: 12 Nov 2024. (NVD)
- Tradecraft in the wild: Rapid7 documents a confirmed intrusion where they determined initial access via CVE-2024-38094, followed by two-week dwell time and domain-level impact. (Rapid7 IR field report)
- PoC availability: Reporting notes public PoC code exists (defenders should assume low barrier for opportunistic use). (The Hacker News coverage referencing PoC)
4. Impact Assessment
4.1 Severity and scope
- CVSS: 7.2 High (Microsoft CNA score). (NVD)
- Operational impact: Rapid7’s case shows the vulnerability can be a stepping stone to domain compromise, especially when combined with credential theft and impaired security tooling. (Rapid7 IR field report)
4.2 Victim profile
- Platforms: On-prem Microsoft SharePoint Server (Subscription Edition, 2016, and other supported versions addressed via July 2024 updates). (SharePoint Subscription Edition July 9, 2024 update note, SharePoint 2016 July 9, 2024 update note)
- Observed outcomes: Web-facing SharePoint as the apparent source of malicious activity and subsequent lateral movement. (Rapid7 IR field report)
5. Indicators of Compromise (IOCs)
5.1 IOC table
| Type | Value | Context/Notes | Source |
|---|---|---|---|
| IP address | 18.195.61[.]200 | Rapid7 observed exploit-indicative SharePoint requests originating from this external IP | Rapid7 IR field report |
| HTTP request path | POST /_vti_bin/client.svc/web/GetFolderByServerRelativeUrl('/BusinessDataMetadataCatalog/')/Files/add(...) | SharePoint client API request Rapid7 flagged as indicative of CVE-2024-38094 exploitation | Rapid7 IR field report |
| HTTP request path | POST /_vti_bin/DelveApi.ashx/config/ghostfile93.aspx | Suspicious request path captured by Rapid7 during the compromise investigation | Rapid7 IR field report |
| File/service names (post-exploitation) | hrword install.bat, service sysdiag, driver sysdiag_win10.sys, HRSword.exe | Reported tooling used to install Huorong AV and disrupt security services (defence evasion) | BleepingComputer coverage |
Important: These IOCs come from a single publicly described incident and should be treated as lead indicators rather than exhaustive signatures.
5.2 Detection guidance
Log sources to prioritise
- IIS / SharePoint ULS logs,
inetpubweb logs, Windows Security event logs, and SharePoint application logs. Rapid7 specifically references reviewing SharePointinetpublogs to identify exploit-like requests. (Rapid7 IR field report)
Practical hunt ideas (adapt to your SIEM/EDR)
- Search for inbound POSTs to:
/_vti_bin/client.svc/and/_vti_bin/DelveApi.ashx- Especially requests creating/adding files beneath
BusinessDataMetadataCatalogor unusual.aspxreferences such asghostfile93.aspx(treat filename as case-specific IOC). (Rapid7 IR field report)
- Alert on SharePoint servers spawning unusual processes (e.g., Python installation activity and subsequent tooling pulls), and credential dumping indicators consistent with Mimikatz. (Rapid7 IR field report)
- Look for service creation and driver installs associated with the Huorong AV installation sequence described in reporting. (BleepingComputer coverage)
6. Incident Response Guidance
6.1 Containment, eradication, recovery
- Isolate the SharePoint server (network containment) if exploitation is suspected; preserve volatile data first where feasible.
- Patch immediately using Microsoft’s July 2024 SharePoint security updates (and verify build/application). (SharePoint Subscription Edition July 9, 2024 update note, SharePoint 2016 July 9, 2024 update note)
- Assume credential compromise if post-exploitation is evident (Rapid7 observed credential dumping and lateral movement). Reset credentials, rotate secrets, and invalidate tokens as appropriate. (Rapid7 IR field report)
- Hunt laterally: Rapid7’s case includes movement that culminated in compromising a Microsoft Exchange service account with elevated privileges. Validate service accounts, privilege assignments, and unusual auth patterns. (Rapid7 IR field report)
6.2 Forensic artefacts to collect
- IIS logs (
inetpub), SharePoint ULS logs, Windows Event Logs (export EVTX), scheduled task listings, service creation events, and any web root changes. - Evidence of tooling referenced in reporting: Python/Impacket use, Mimikatz artefacts, proxy tooling (FRP), and Huorong AV installation traces. (Rapid7 IR field report, BleepingComputer coverage)
6.3 Lessons learned
- Treat internet-facing SharePoint as a tier-0 adjacent asset: harden identity, monitor aggressively, and reduce direct exposure where possible.
7. Threat Intelligence Contextualisation
7.1 Similar incident patterns
The Rapid7 incident aligns with a familiar pattern: exploit access → web shell/persistence → credential theft → defence evasion → lateral movement and domain takeover. (Rapid7 IR field report)
7.2 Full MITRE ATT&CK mapping table
| Tactic | Technique ID | Technique Name | Observed Behaviour |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Rapid7 assessed initial access via exploitation of on-prem SharePoint (CVE-2024-38094) |
| Persistence | T1505.003 | Server Software Component: Web Shell | Suspicious .aspx-style request path observed; broader reporting describes web shell placement |
| Defence Evasion | T1562 | Impair Defences | Huorong AV installation caused conflicts/crashes with existing security tooling |
| Credential Access | T1003 | OS Credential Dumping | Rapid7 noted Mimikatz execution and log tampering indicators |
| Command and Control | T1090 | Proxy | Rapid7 notes Fast Reverse Proxy usage for outbound connectivity |
Sources: Rapid7 IR field report, BleepingComputer coverage
8. Mitigation Recommendations
8.1 Hardening steps
- Minimise exposure: avoid direct internet exposure of on-prem SharePoint where possible; place behind VPN / ZTNA and restrict access to trusted identities and networks.
- Constrain privileged roles: exploitation requires authenticated Site Owner permissions, so review who holds these rights and enforce least privilege. (The Hacker News quoting Microsoft’s permission requirement)
- Instrument logging: ensure IIS, SharePoint, and Windows logs are retained centrally; Rapid7 observed signs of log tampering and missing event sources. (Rapid7 IR field report)
8.2 Patch management advice
- Immediate priority: Patch all on-prem SharePoint servers using Microsoft’s July 2024 security updates that explicitly reference CVE-2024-38094.
- Track the CVE centrally: Microsoft advisory for CVE-2024-38094 and NVD.
- Operational driver: NVD indicates inclusion in CISA KEV with an agency remediation due date of 12 Nov 2024 (useful as an internal urgency benchmark even outside US federal scope). (NVD)
9. Historical Context & Related Vulnerabilities
Microsoft’s July 9, 2024 SharePoint security updates bundle multiple SharePoint CVEs (including other RCE issues), highlighting that SharePoint patching is often cumulative and should be handled as a release hygiene practice rather than a one-off response. (SharePoint 2016 July 9, 2024 update note)
10. Future Outlook
Given the combination of (1) public PoC availability, (2) broad on-prem footprint, and (3) “post-exploitation friendly” positioning of SharePoint in many enterprise environments, defenders should expect CVE-2024-38094-style tradecraft to persist: rapid initial access attempts followed by living-off-the-land and credential theft. Reporting shows adversaries can remain undetected for weeks when logging and endpoint protections are impaired. (Rapid7 IR field report)
11. Further Reading
Vendor / vulnerability records
Patch notes
- SharePoint Server Subscription Edition — July 9, 2024 security update (KB5002606)
- SharePoint Enterprise Server 2016 — July 9, 2024 security update (KB5002618)
Threat reporting / incident analysis
- Rapid7: Investigating a SharePoint Compromise (IR Tales from the Field)
- BleepingComputer: SharePoint RCE bug exploited to breach corporate network
- The Hacker News: CISA warns of active exploitation of CVE-2024-38094