CVE Radar

CVE Radar Logo
CVERadar

Edition used by more than 30,000 companies in more than 150 countries.
Sign Up For Free

CVE-2022-22005

High Severity|Microsoft
62
SVRS
8.8
CVSSv3
0.16825
EPSS
TAGS
In The Wild
VECTOR STRING
CVSS:3.1AV:NAC:LPR:LUI:NS:UC:HI:HA:HE:URL:ORC:C
PUBLICATION DATE2022-02-09
LAST MODIFIED2025-01-02

Deep CVE Analysis in Progress

The system is currently conducting an in-depth analysis of the selected CVE. This includes advanced correlation, vulnerability classification, and cross-referencing with real-time threat intelligence sources. Once the analysis is complete, the page will automatically update with enriched vulnerability data and actionable insights.

Security Intelligence Brief

What is this vulnerability and why does it matter?
This is a Remote Code Execution (RCE) vulnerability affecting Microsoft SharePoint Server, identified as CVE-2022-22005. This vulnerability is critical because it allows an attacker to execute arbitrary code on the affected SharePoint server, potentially leading to full compromise of the system and sensitive data. The existence of published active exploits significantly increases its importance and the urgency for remediation, as it indicates the vulnerability is being actively leveraged by malicious actors.
What are the CVSS score, severity level, and disclosure details?
The CVSS score for CVE-2022-22005 is 8.8. This score places the vulnerability in the High severity level. The vulnerability was publicly disclosed and published on February 9, 2022, at 16:36:59 UTC. The CVE record was last modified on January 2, 2025, at 18:28:24 UTC, indicating potential updates to its details or associated information.
Which products, vendors, systems, and versions are affected?
The vulnerability affects Microsoft SharePoint Server. Specific versions of SharePoint Server are not detailed in the provided CVE data, but generally, all supported versions at the time of disclosure would be considered potentially vulnerable until specific patches are applied.
What is the technical root cause and attack vector?
The technical root cause of this vulnerability is identified as CWE-502: Deserialization of Untrusted Data. This means that the SharePoint server incorrectly handles data that has been serialized (converted into a format for storage or transmission) and then deserialized (converted back into an object). When untrusted, specially crafted data is deserialized, it can lead to arbitrary code execution. The attack vector is remote, meaning an attacker can exploit this vulnerability over a network without requiring local access to the server.
How can this vulnerability be exploited?
This vulnerability can be exploited by an attacker sending specially crafted serialized data to an affected SharePoint Server. Due to improper deserialization, the server processes this untrusted data in a way that allows the attacker's arbitrary code to be executed within the context of the SharePoint application. The existence of published active exploits suggests that the methods for triggering this deserialization vulnerability are known and publicly available.
What mitigation steps and patches are available?
For vulnerabilities affecting Microsoft products, the primary mitigation step is to apply the security updates or patches released by Microsoft. Organizations should refer to the official Microsoft Security Update Guide or the specific CVE advisory for CVE-2022-22005 to identify and deploy the necessary patches for all affected SharePoint Server installations. Other general mitigations include ensuring proper network segmentation, implementing the principle of least privilege for SharePoint service accounts, and employing robust web application firewalls (WAFs) to filter malicious input.
How can vulnerable systems be detected?
Vulnerable systems can be detected by identifying the version of Microsoft SharePoint Server deployed and cross-referencing it with official Microsoft advisories for CVE-2022-22005. Automated vulnerability scanners, patch management systems, and inventory tools can assist in this process by identifying unpatched instances of SharePoint Server. Manual inspection of system patch levels can also be performed.
What are the indicators of compromise (IOCs)?
While specific IOCs are not provided in the CVE data, common indicators for remote code execution vulnerabilities in SharePoint Server environments include:
  • Unusual process execution on the SharePoint server (e.g., unexpected cmd.exe, powershell.exe, or other executables).
  • Unexpected outgoing network connections from the SharePoint server to external or internal untrusted hosts.
  • Creation or modification of unusual files in SharePoint directories or system directories.
  • New or modified user accounts with elevated privileges on the server or in SharePoint.
  • Unusual entries in SharePoint or Windows event logs, especially related to application errors or security events.
  • Spikes in CPU or memory usage not attributable to legitimate SharePoint operations.
Which threat actors are known to exploit this vulnerability?
The provided CVE data indicates that active exploits have been published to leverage this vulnerability. However, it does not specify particular threat actors or groups known to be exploiting CVE-2022-22005. The public availability of exploits suggests that a wide range of threat actors, from opportunistic attackers to more sophisticated groups, could be utilizing it.
What public intelligence references and advisories exist?
The primary public intelligence reference is the CVE entry itself: CVE-2022-22005. Additional advisories and technical details would typically be published by Microsoft in their Security Update Guide, alongside security research firms and cybersecurity agencies that track actively exploited vulnerabilities. The mention of "active exploits have been published" further suggests that detailed analyses and proof-of-concept code may be available from security communities.
What is the risk assessment and urgency level?
The risk assessment for CVE-2022-22005 is high. With a CVSS score of 8.8 and the classification as a Remote Code Execution vulnerability, successful exploitation can lead to complete compromise of the affected SharePoint server, resulting in data breaches, system downtime, and potential lateral movement within the network. The urgency level is critical due to the confirmed presence of published active exploits, indicating that the vulnerability is actively being targeted in the wild. Immediate patching and mitigation are strongly recommended to protect against active threats.

No IOCs found for this CVE

TitleSoftware LinkDate
Creamy-Chicken-Soup/writeups-about-analysis-CVEs-and-Exploits-on-the-Windowshttps://github.com/Creamy-Chicken-Soup/writeups-about-analysis-CVEs-and-Exploits-on-the-Windows2022-04-16
ARPSyndicate/cvemonhttps://github.com/ARPSyndicate/cvemon2021-04-13
SOCRadar Logo

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

No news found for this CVE

No tweets found for this CVE

Configuration 1
TypeVendorProduct
AppMicrosoftsharepoint_server
AppMicrosoftsharepoint_enterprise_server
AppMicrosoftsharepoint_foundation
ReferenceLink
MISChttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22005
MISChttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22005
MISChttps://www.zerodayinitiative.com/advisories/ZDI-22-352/
MISChttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22005
MICROSOFT SHAREPOINT SERVER REMOTE CODE EXECUTION VULNERABILITYhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22005
MICROSOFT SHAREPOINT SERVER REMOTE CODE EXECUTION VULNERABILITYhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22005
CWE IDCWE NameDescription
CWE-502Deserialization of Untrusted DataThe application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.