Logic scanner now available! Try it out
Back
CVE Analysis - 6 min read

CVE-2025-30384: Microsoft SharePoint Deserialization Flaw Opens Door to Local RCE

An in-depth analysis of CVE-2025-30384, a deserialization vulnerability in Microsoft SharePoint allowing local attackers to execute arbitrary code.

ZeroPath Security Research

ZeroPath Security Research

2025-05-13
CVE-2025-30384: Microsoft SharePoint Deserialization Flaw Opens Door to Local RCE

CVE-2025-30384: Microsoft SharePoint Deserialization Flaw Opens Door to Local RCE

Introduction

Deserialization vulnerabilities continue to plague enterprise software, and Microsoft's SharePoint is no exception. CVE-2025-30384, recently disclosed, highlights the persistent risks associated with improper handling of serialized data. This flaw allows authenticated attackers to execute arbitrary code locally, posing significant threats to organizational security.

Affected Systems and Versions

  • SharePoint Server Subscription Edition (versions prior to 16.0.18526.20172)
  • SharePoint Server 2019 and 2016 Enterprise Edition

Technical Information

CVE-2025-30384 results from improper validation of serialized input (CWE-502). Attackers with authenticated access and Site Owner privileges can exploit this by injecting malicious serialized .NET objects into SharePoint APIs or workflows. The deserialization process, lacking proper validation, executes attacker-controlled code within the SharePoint application pool context.

Attack Vector

  • Authenticated attackers submit crafted serialized payloads via SharePoint APIs.
  • Exploitation requires Site Owner privileges, limiting the attack surface to insiders or compromised accounts.

Proof of Concept

Currently, no publicly available proof-of-concept exploit exists for CVE-2025-30384.

Patch Information

Organizations must apply the May 2025 security update (KB5002705) for SharePoint Server Subscription Edition, upgrading to version 16.0.18526.20172 or later. Detailed patching instructions and downloads are available from Microsoft's official security advisory.

Detection Methods

  • Monitor SharePoint logs for unusual HTTP POST requests to endpoints like /_api/web/lists.
  • Investigate unexpected process creations by w3wp.exe.
  • No known indicators of compromise or exploitation attempts have been reported yet.

Vendor Security History

Microsoft has previously addressed similar deserialization vulnerabilities in SharePoint, including CVE-2025-29793. Their consistent monthly patching cycle demonstrates proactive security management, though recurring issues indicate ongoing challenges in legacy code security.

References

Organizations are urged to prioritize patching and implement robust monitoring to mitigate potential threats associated with CVE-2025-30384.

Ready for effortless AppSec?

Get a live ZeroPath tour.

Schedule a demo with one of the founders Dean Valentine Raphael Karger Nathan Hrncirik Yaacov Tarko to get started.

Schedule a demo