CVE-2020-1460
📋 TL;DR
CVE-2020-1460 is a remote code execution vulnerability in Microsoft SharePoint Server that allows authenticated attackers to execute arbitrary code by uploading specially crafted ASP.Net web controls. This affects organizations running vulnerable SharePoint Server versions, requiring attackers to have authenticated access to create malicious pages.
💻 Affected Systems
- Microsoft SharePoint Server
- Microsoft SharePoint Foundation
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of SharePoint Server with attacker gaining SYSTEM-level privileges, data exfiltration, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Attacker with authenticated access executes code in SharePoint application pool context, potentially accessing sensitive data, modifying content, or disrupting services.
If Mitigated
With proper authentication controls and network segmentation, impact limited to authenticated user's permissions and isolated to SharePoint environment.
🎯 Exploit Status
Requires authenticated user with ability to create pages. Exploit involves crafting malicious ASP.Net controls within SharePoint pages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in July 2020 patch cycle
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1460
Restart Required: Yes
Instructions:
1. Download appropriate security update from Microsoft Update Catalog. 2. Apply update to all SharePoint servers. 3. Restart SharePoint services. 4. Test functionality.
🔧 Temporary Workarounds
Restrict Page Creation Permissions
windowsLimit which users can create and edit pages in SharePoint to reduce attack surface
Implement Web Application Firewall Rules
allConfigure WAF to block suspicious ASP.Net control patterns in SharePoint requests
🧯 If You Can't Patch
- Implement strict access controls: Only grant page creation permissions to trusted users with business need
- Monitor for suspicious page creation/modification activity and implement file upload restrictions
🔍 How to Verify
Check if Vulnerable:
Check SharePoint version against Microsoft's affected versions list in security advisoryCheck Version:
Get-SPFarm | Select BuildVersion (PowerShell) or check Central Administration > Upgrade and Migration > Check product and patch installation statusVerify Fix Applied:
Verify security update is installed via Windows Update history or SharePoint version check📡 Detection & Monitoring
Log Indicators:
- Unusual page creation events
- ASP.Net control uploads
- Security event logs showing code execution attempts
Network Indicators:
- HTTP POST requests with crafted ASP.Net controls to SharePoint pages
- Unusual outbound connections from SharePoint servers
SIEM Query:
source="sharepoint" AND (event="page_creation" OR event="file_upload") AND user NOT IN [trusted_users]