Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-30378

CVE-2025-30378: Microsoft SharePoint Server RCE Vulnerability

CVE-2025-30378 is a remote code execution vulnerability in Microsoft SharePoint Server caused by deserialization of untrusted data. Attackers can exploit this flaw to execute arbitrary code. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-30378 Overview

CVE-2025-30378 is a deserialization of untrusted data vulnerability [CWE-502] in Microsoft Office SharePoint Server. The flaw enables an unauthorized attacker to execute code locally on affected SharePoint instances. Microsoft disclosed the issue on May 13, 2025, with a CVSS 3.1 score of 7.0. Exploitation requires local access combined with user interaction, and attack complexity is rated high. The vulnerability impacts SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 Enterprise. Successful exploitation results in high impact to confidentiality, integrity, and availability. No public proof-of-concept code or active exploitation has been reported as of publication.

Critical Impact

Successful exploitation grants attackers the ability to execute arbitrary code in the context of the SharePoint process, leading to full compromise of confidentiality, integrity, and availability on the affected server.

Affected Products

  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server 2016 Enterprise

Discovery Timeline

  • 2025-05-13 - CVE-2025-30378 published to NVD
  • 2025-05-13 - Microsoft releases security update guidance for CVE-2025-30378
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-30378

Vulnerability Analysis

The vulnerability stems from insecure deserialization of untrusted data within Microsoft SharePoint Server [CWE-502]. SharePoint deserializes objects without enforcing strict type validation or integrity checks on the input stream. An attacker who controls the serialized payload can introduce gadget chains that trigger arbitrary code execution during the deserialization process. The flaw executes code in the context of the SharePoint application, granting access to server resources, content databases, and authentication material. Because the attack vector is local and requires user interaction, an attacker must first land a crafted payload on the system and induce a user or process to consume it. The high attack complexity reflects timing or state preconditions needed for the deserialization gadget to fire reliably.

Root Cause

The root cause is the use of an unsafe deserialization routine on attacker-influenced input. SharePoint accepts serialized objects from a path that lacks adequate allow-listing of permitted types. Standard .NET serializers such as BinaryFormatter, SoapFormatter, or LosFormatter instantiate arbitrary types during graph reconstruction, enabling gadget chains to invoke dangerous methods like Process.Start or reflection-based loaders.

Attack Vector

Exploitation requires local access to the SharePoint host and user interaction to trigger processing of the malicious serialized payload. An attacker typically stages a crafted file or input that SharePoint consumes during normal operation. Once deserialization occurs, the embedded gadget chain executes code under the SharePoint service account, providing a foothold for lateral movement or persistence.

No verified public exploit code is available. Refer to the Microsoft Security Update Guide for CVE-2025-30378 for vendor technical details.

Detection Methods for CVE-2025-30378

Indicators of Compromise

  • Unexpected child processes spawned by w3wp.exe or OWSTIMER.EXE on SharePoint servers, particularly cmd.exe, powershell.exe, or rundll32.exe.
  • Anomalous serialized payloads written to SharePoint content paths, temp directories, or layouts folders.
  • Outbound network connections from SharePoint worker processes to non-Microsoft infrastructure.
  • Creation of new scheduled tasks, services, or local accounts on SharePoint hosts following suspicious file access.

Detection Strategies

  • Hunt for process lineage where SharePoint IIS or timer service processes launch script interpreters or living-off-the-land binaries.
  • Monitor .NET runtime telemetry for deserialization-related exceptions and type-load events involving gadget classes such as System.Windows.Data.ObjectDataProvider or System.Diagnostics.Process.
  • Apply behavioral identification rules that correlate user interaction with file ingestion and subsequent code execution.

Monitoring Recommendations

  • Forward SharePoint ULS logs, IIS access logs, and Windows Security event logs to a centralized SIEM for correlation.
  • Enable Sysmon with rules covering process creation, image loads, and file creation in SharePoint directories.
  • Alert on PowerShell module loads from SharePoint process trees and on creation of .aspx or .dll files in LAYOUTS or bin directories.

How to Mitigate CVE-2025-30378

Immediate Actions Required

  • Apply the Microsoft May 2025 security update for SharePoint Server as documented in the vendor advisory.
  • Inventory all SharePoint Server Subscription Edition, 2019, and 2016 Enterprise instances and prioritize patching internet-adjacent servers.
  • Restrict local logon rights on SharePoint hosts to administrators only and review delegated permissions.
  • Audit recent process execution and file write activity on SharePoint servers for signs of pre-patch exploitation.

Patch Information

Microsoft published the official fix in the Microsoft Security Update Guide for CVE-2025-30378. Administrators should install the cumulative update for their specific SharePoint Server build and run the SharePoint Products Configuration Wizard or PSConfig to complete the upgrade on each server in the farm.

Workarounds

  • No vendor-supplied workaround replaces the security update; install the patch as the primary remediation.
  • Limit interactive and remote access to SharePoint servers, enforcing multi-factor authentication and just-in-time administration.
  • Apply application allow-listing on SharePoint hosts to block unauthorized binaries and script interpreters from executing.
  • Segment SharePoint servers from general user workstations to reduce opportunities for local payload delivery.
bash
# Verify installed SharePoint build and confirm patch level on Windows Server
Get-SPFarm | Select-Object BuildVersion
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 20

# After installation, complete configuration on each farm server
& "$env:CommonProgramFiles\Microsoft Shared\Web Server Extensions\16\BIN\PSConfig.exe" -cmd upgrade -inplace b2b -wait -force

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.