1-Click Oracle Cloud RCE Bug Allows Malicious File Upload
July 18, 2025Stealc Information Stealer Malware – Active IOCs
July 18, 20251-Click Oracle Cloud RCE Bug Allows Malicious File Upload
July 18, 2025Stealc Information Stealer Malware – Active IOCs
July 18, 2025Severity
High
Analysis Summary
A critical remote code execution (RCE) vulnerability has been discovered in Microsoft SharePoint, stemming from insecure deserialization of XML content within WebPart properties. This flaw enables threat actors to inject malicious XML payloads into WebParts, allowing arbitrary code execution. The root cause lies in SharePoint's processing of WebPart controls, particularly the unsafe handling of XML data through deserialization mechanisms. The vulnerability has been patched, but organizations running unpatched or older SharePoint versions remain at risk of full environment compromise.
The attack leverages a complex deserialization chain initiated through the AddParsedSubObject() method in Microsoft.SharePoint.WebPartPages.WebPart. This method extracts embedded XML content and sends it to ParseXml() for processing via the XmlSerializer. The chain proceeds to the DoPostDeserializationTasks() method, which facilitates deeper parsing of the malicious input. Ultimately, this reaches the Utility.DeserializeStringToObject() function, a core deserialization function where exploitation becomes possible.
According to the Researcher, the vulnerability resides in the GetAttachedProperties() method, which deserializes the _serializedAttachedPropertiesShared field using SPSerializationBinder. This binder enables binary deserialization of any class listed in SharePoint’s SafeControls list. Attackers exploit this by targeting the Microsoft.SharePoint.ApplicationPages.SPThemes class, which inherits from DataSet and uses insecure serialization constructors. The payload is crafted using the AttachedPropertiesShared element and delivered via the /webpartpages.asmx endpoint, specifically through the ConvertWebPartFormat method.
To mitigate this threat, organizations must urgently apply Microsoft’s latest security patches addressing the issue. Administrators should also enforce strict input validation for WebPart content, closely monitor traffic to SharePoint web service endpoints, and segment network access to isolate critical services. This vulnerability underscores the ongoing risks associated with insecure deserialization and highlights the importance of robust application-level security reviews in enterprise environments like SharePoint.
Impact
- Sensitive Data Theft
- Remote Code Execution
- Security Bypass
Remediation
- Apply the latest SharePoint security updates immediately to patch the vulnerability.
- Restrict access to the /webpartpages.asmx endpoint through firewall or proxy rules.
- Implement strict input validation for WebPart content to block malicious XML or script injection.
- Monitor and log activity on SharePoint web service endpoints for suspicious requests.
- Disable unnecessary or unused WebPart components to reduce the attack surface.
- Use application whitelisting to control which assemblies and controls can be loaded in SharePoint.
- Segment network access to isolate SharePoint servers from other critical systems.
- Conduct a thorough security review of all custom or third-party WebParts and solutions.
- Regularly audit SafeControls list to ensure only trusted types are allowed for deserialization.
- Train SharePoint administrators to recognize and respond to deserialization-based attacks.