CVE-2025-30382 Overview
CVE-2025-30382 is a deserialization of untrusted data vulnerability in Microsoft Office SharePoint Server. The flaw allows an unauthorized attacker to execute code locally on affected installations. The issue is tracked under CWE-502: Deserialization of Untrusted Data and affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Exploitation requires user interaction, but no privileges are needed on the target system. Microsoft published the advisory on May 13, 2025.
Critical Impact
Successful exploitation grants attackers high-impact code execution on the SharePoint server, compromising confidentiality, integrity, and availability of hosted content and services.
Affected Products
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016 (Enterprise)
Discovery Timeline
- 2025-05-13 - CVE-2025-30382 published to NVD
- 2025-05-13 - Microsoft releases security advisory and patch
- 2025-05-19 - Last updated in NVD database
Technical Details for CVE-2025-30382
Vulnerability Analysis
The vulnerability resides in SharePoint Server's handling of serialized objects. SharePoint deserializes attacker-supplied data without verifying the type or integrity of the serialized stream. When the runtime reconstructs the object graph, it instantiates types and invokes methods chosen by the attacker. This behavior matches the [CWE-502] class of flaws, where unsafe deserialization leads to arbitrary code execution under the privileges of the deserializing process.
In the SharePoint context, the worker process executes with permissions over site content, configuration data, and connected service accounts. Code execution at this layer compromises hosted documents and may pivot into adjacent identities, including farm and search accounts.
The attack surface is local, which in CVSS terms covers payloads delivered through files, links, or user-driven workflows that the victim opens or processes on the SharePoint host. The flaw requires user interaction, indicating a victim must trigger the deserialization path.
Root Cause
The root cause is the deserialization of untrusted input without strict type allow-listing or cryptographic integrity validation. .NET-based deserializers used in SharePoint can resolve gadget chains during object reconstruction, allowing attacker-controlled types to execute code as a side effect of property setters, constructors, or serialization callbacks.
Attack Vector
An attacker crafts a malicious serialized payload and delivers it to a SharePoint workflow that performs deserialization. A user with access to the SharePoint host triggers the affected code path, causing the server-side process to reconstruct the malicious object graph and execute the embedded gadget chain. Refer to the Microsoft Vulnerability Advisory CVE-2025-30382 for product-specific exploitation context.
Detection Methods for CVE-2025-30382
Indicators of Compromise
- Unexpected child processes spawned by the SharePoint worker process w3wp.exe running under SharePoint application pool identities.
- New or modified .aspx, .ashx, or assembly files in SharePoint hive directories (%CommonProgramFiles%\Microsoft Shared\Web Server Extensions\).
- Serialized payloads containing BinaryFormatter, LosFormatter, ObjectStateFormatter, or SoapFormatter type references in request bodies or uploaded artifacts.
- Outbound network connections from SharePoint servers to unfamiliar hosts following file uploads or workflow execution.
Detection Strategies
- Monitor IIS logs for POST requests to SharePoint endpoints containing base64-encoded payloads with serialized .NET type signatures.
- Hunt for process lineage where w3wp.exe launches cmd.exe, powershell.exe, or other interpreters.
- Inspect Windows Event Logs for unusual assembly loads and .NET CLR errors tied to the SharePoint application pool.
Monitoring Recommendations
- Forward SharePoint ULS logs, IIS logs, and Windows Security events to a centralized SIEM for correlation.
- Baseline normal workflow and form submission activity to surface anomalies in deserialization-heavy endpoints.
- Track file integrity on SharePoint binaries and configuration directories to identify post-exploitation persistence.
How to Mitigate CVE-2025-30382
Immediate Actions Required
- Apply the May 2025 SharePoint security updates referenced in the Microsoft Vulnerability Advisory CVE-2025-30382 to all affected farm servers.
- Inventory SharePoint Server 2016, 2019, and Subscription Edition deployments and confirm patch levels across web front-ends and application servers.
- Restrict access to SharePoint administrative endpoints and custom workflow upload features to trusted accounts only.
- Review service account privileges and rotate credentials if compromise is suspected.
Patch Information
Microsoft has released security updates addressing CVE-2025-30382 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Patch details and download links are available in the Microsoft Vulnerability Advisory CVE-2025-30382. Apply updates through Windows Update, WSUS, or the Microsoft Update Catalog and follow Microsoft's guidance to run the SharePoint Products Configuration Wizard after installation.
Workarounds
- Limit file upload and custom workflow permissions to reduce exposure to attacker-controlled serialized data.
- Enforce least privilege on SharePoint application pool identities to constrain the impact of code execution.
- Place SharePoint servers behind a web application firewall configured to inspect and block known deserialization gadget signatures.
# Verify installed SharePoint patches on a Windows server
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 20
# List SharePoint farm build version
(Get-SPFarm).BuildVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
