Cyber Resilience

CVE-2022-38053

High

Published: 11 October 2022

Published
11 October 2022
Modified
02 January 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2852 96.6th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-38053 is a high-severity an unspecified weakness vulnerability in Microsoft Sharepoint Enterprise Server. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Microsoft SharePoint Server is affected by CVE-2022-38053, a remote code execution vulnerability disclosed on 2022-10-11. The flaw carries a CVSS 3.1 base score of 8.8 with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that an authenticated attacker can achieve full compromise of confidentiality, integrity, and availability over the network with low attack complexity.

An attacker who possesses low-privileged access to a SharePoint deployment can exploit the vulnerability to execute arbitrary code on the server without user interaction, resulting in complete takeover of the affected SharePoint instance and any data it processes.

Microsoft has published official guidance and patches for the issue through its Security Response Center at the referenced URLs, directing administrators to apply the relevant updates for supported SharePoint Server versions.

EPSS for the CVE rose from a low baseline to a peak of 0.5244 on 2025-12-11 before receding to the current value of 0.2852, indicating that exploitation interest increased well after initial disclosure.

EU & UK References

Vulnerability details

Microsoft SharePoint Server Remote Code Execution Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
sharepoint enterprise server
2013, 2016
microsoft
sharepoint foundation
2013
microsoft
sharepoint server
2019, all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References