CVE-2020-1452 – This is a remote code execution vulnerability i... (How to Fix)

Q: What is the severity of CVE-2020-1452?

CVE-2020-1452 has a CVSS score of 8.6 (HIGH). This is a remote code execution vulnerability in Microsoft SharePoint that allows attackers to run arbitrary code by uploading a specially crafted application package. It affects SharePoint servers where users can upload packages, potentially compromising the entire SharePoint farm.

📋 TL;DR

This is a remote code execution vulnerability in Microsoft SharePoint that allows attackers to run arbitrary code by uploading a specially crafted application package. It affects SharePoint servers where users can upload packages, potentially compromising the entire SharePoint farm.

💻 Affected Systems

Products:

Microsoft SharePoint Server
Microsoft SharePoint Foundation

Versions: Specific versions not provided in description; check Microsoft advisory for exact affected versions.

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires SharePoint installation with application package upload capability enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SharePoint server farm with attacker gaining control as SharePoint application pool account, leading to data theft, lateral movement, and persistent access.

🟠

Likely Case

Attacker gains code execution on SharePoint server, potentially accessing sensitive data and using the server as a foothold for further attacks.

🟢

If Mitigated

Limited to authenticated users with package upload permissions, with monitoring detecting suspicious uploads.

🌐 Internet-Facing: HIGH if SharePoint is internet-facing and allows package uploads.

🏢 Internal Only: MEDIUM to HIGH depending on user permissions and network segmentation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated user with permissions to upload SharePoint application packages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update for specific patch version

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1452

Restart Required: Yes

Instructions:

1. Download the security update from Microsoft Update Catalog. 2. Apply the update to all affected SharePoint servers. 3. Restart SharePoint services or servers as required.

🔧 Temporary Workarounds

Restrict Application Package Uploads

windows

Disable or restrict permissions for uploading SharePoint application packages to trusted users only.

Implement File Upload Validation

windows

Add additional validation layers for uploaded SharePoint packages before processing.

🧯 If You Can't Patch

Implement strict access controls to limit who can upload SharePoint application packages.
Monitor SharePoint logs for suspicious package uploads and implement network segmentation.

🔍 How to Verify

Check if Vulnerable:

Check SharePoint version against Microsoft's affected versions list in the advisory.

Check Version:

Get-SPFarm | Select BuildVersion

Verify Fix Applied:

Verify that the security update is installed via Windows Update history or SharePoint version check.

📡 Detection & Monitoring

Log Indicators:

Unusual SharePoint application package uploads
Errors in SharePoint ULS logs related to package processing

Network Indicators:

Unexpected outbound connections from SharePoint servers post-upload

SIEM Query:

source="SharePoint" AND (event_id=6398 OR event_id=6399) AND message="*package*"

📊 Metadata

CVE ID: CVE-2020-1452

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CWE: CWE-494

Published: September 11, 2020

Last Updated: February 23, 2026

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1452 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1452 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-1452, you might also want to check these: