Cyber Resilience

CVE-2022-21837

High

Published: 11 January 2022

Published
11 January 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0769 92.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21837 is a high-severity an unspecified weakness vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 8.3 (High).

Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Microsoft SharePoint Server is affected by CVE-2022-21837, a remote code execution vulnerability disclosed on 11 January 2022. The flaw carries a CVSS 3.1 base score of 8.3 with network attack vector, low complexity, and low privileges required, enabling an authenticated attacker to execute arbitrary code that yields high impact on confidentiality and integrity along with low impact on availability.

An attacker who already possesses low-privileged access to a SharePoint deployment can send crafted requests over the network to trigger the vulnerability and obtain code execution on the server without user interaction. Successful exploitation allows the attacker to read or modify sensitive data and potentially disrupt service operations within the affected SharePoint environment.

Microsoft security advisories for CVE-2022-21837 direct administrators to apply the patches released in the corresponding security update packages. The EPSS score reached a peak of 0.0959 and currently sits at 0.0769, indicating modest post-disclosure interest that does not constitute a pronounced rise.

EU & UK References

Vulnerability details

Microsoft SharePoint Server Remote Code Execution Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
sharepoint foundation
2013
microsoft
sharepoint server
2016, 2019, all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References