A critical remote code execution (RCE) vulnerability has been discovered in Microsoft SharePoint, stemming from insecure deserialization of XML content within WebPart properties. This flaw enables threat actors to inject malicious XML payloads into WebParts, allowing arbitrary code execution. The root cause lies in SharePoint's processing of WebPart controls, particularly the unsafe handling of XML data through deserialization mechanisms. The vulnerability has been patched, but organizations running unpatched or older SharePoint versions remain at risk of full environment compromise.

The attack leverages a complex deserialization chain initiated through the AddParsedSubObject() method in Microsoft.SharePoint.WebPartPages.WebPart. This method extracts embedded XML content and sends it to ParseXml() for processing via the XmlSerializer. The chain proceeds to the DoPostDeserializationTasks() method, which facilitates deeper parsing of the malicious input. Ultimately, this reaches the Utility.DeserializeStringToObject() function, a core deserialization function where exploitation becomes possible.

According to the Researcher, the vulnerability resides in the GetAttachedProperties() method, which deserializes the _serializedAttachedPropertiesShared field using SPSerializationBinder. This binder enables binary deserialization of any class listed in SharePoint’s SafeControls list. Attackers exploit this by targeting the Microsoft.SharePoint.ApplicationPages.SPThemes class, which inherits from DataSet and uses insecure serialization constructors. The payload is crafted using the AttachedPropertiesShared element and delivered via the /webpartpages.asmx endpoint, specifically through the ConvertWebPartFormat method.

To mitigate this threat, organizations must urgently apply Microsoft’s latest security patches addressing the issue. Administrators should also enforce strict input validation for WebPart content, closely monitor traffic to SharePoint web service endpoints, and segment network access to isolate critical services. This vulnerability underscores the ongoing risks associated with insecure deserialization and highlights the importance of robust application-level security reviews in enterprise environments like SharePoint.