CVE-2010-3964

Microsoft SharePoint Server 2007 SP2 - Remote Code Execution via Malformed SOAP Request

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2010-3964. PoCs published by Metasploit, Oleksandr Mirosh, James Burton, Entomology: A Case Study of Rare and Interesting Bugs, juan vazquez, including Metasploit module exploits/windows/misc/ms10_104_sharepoint.

AI-analyzed exploit summary This Metasploit module exploits a directory traversal vulnerability in Microsoft Office SharePoint Server 2007 SP2 to achieve remote code execution via arbitrary file upload and WMI execution.

Description

Unrestricted file upload vulnerability in the Document Conversions Launcher Service in Microsoft Office SharePoint Server 2007 SP2, when the Document Conversions Load Balancer Service is enabled, allows remote attackers to execute arbitrary code via a crafted SOAP request to TCP port 8082, aka "Malformed Request Code Execution Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/20122

This Metasploit module exploits a directory traversal vulnerability in Microsoft Office SharePoint Server 2007 SP2 to achieve remote code execution via arbitrary file upload and WMI execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Office SharePoint Server 2007 SP2
No auth needed
Prerequisites: Network access to the SharePoint server on port 8082 · Office Document Conversions Launcher Service running
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Oleksandr Mirosh, James Burton, Entomology: A Case Study of Rare and Interesting Bugs, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/ms10_104_sharepoint.rb

This Metasploit module exploits a directory traversal vulnerability in Microsoft Office SharePoint Server 2007 SP2, allowing arbitrary file uploads via a crafted SOAP request to the Office Document Conversions Launcher Service, leading to remote code execution as SYSTEM.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Office SharePoint Server 2007 SP2
No auth needed
Prerequisites: Network access to SharePoint Server on port 8082 · Office Document Conversions Launcher Service running
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/69817
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA10-348A.html
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/3226
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1024886
Third Party Advisory x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-10-287/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/45264
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42631
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11737

Scores

EPSS 0.9392
EPSS Percentile 99.8%

Details

Status published
Products (1)
microsoft/sharepoint_server 2007 sp2 (2 CPE variants)
Published Dec 16, 2010
Tracked Since Feb 18, 2026