Critical SharePoint RCE Vulnerability Exploited via Malicious XML in Web Part

A severe remote code execution (RCE) vulnerability has been discovered in Microsoft SharePoint that allows attackers to execute arbitrary code through malicious XML content embedded within web parts.

According to the recent report, the vulnerability, which affects the deserialization process of webpart properties, represents a significant security risk for organizations running vulnerable SharePoint installations.

Technical Details of the Vulnerability

The vulnerability originates in SharePoint’s web part control parsing process, specifically within the Microsoft.SharePoint.WebPartPages.WebPart.AddParsedSubObject() method.

The attack vector begins when the system processes XML content within web part controls, triggering a dangerous deserialization chain that ultimately leads to remote code execution.

The exploitation path follows a predictable sequence through SharePoint’s internal architecture. When a web part contains XML content, the AddParsedSubObject() method processes LiteralControl text and parses it as XML.

This parsed content then undergoes deserialization through WebPart.ParseXml(), which utilizes XmlSerializer to reconstruct the ...