CVE-2020-16950 – This CVE describes an information disclosure vu... (How to Fix)

Q: What is the severity of CVE-2020-16950?

CVE-2020-16950 has a CVSS score of 5.0 (MEDIUM). This CVE describes an information disclosure vulnerability in Microsoft SharePoint Server where improper memory handling could allow an authenticated attacker to access sensitive information. The vulnerability requires an attacker to have valid login credentials and the ability to run a crafted application on the affected system. Organizations running vulnerable SharePoint Server versions are affected.

📋 TL;DR

This CVE describes an information disclosure vulnerability in Microsoft SharePoint Server where improper memory handling could allow an authenticated attacker to access sensitive information. The vulnerability requires an attacker to have valid login credentials and the ability to run a crafted application on the affected system. Organizations running vulnerable SharePoint Server versions are affected.

💻 Affected Systems

Products:

Microsoft SharePoint Server

Versions: Specific versions not specified in provided description; check Microsoft advisory for exact affected versions

Operating Systems: Windows Server (SharePoint Server dependencies)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects SharePoint Server's memory handling; exact version details require checking Microsoft's security advisory.

📦 What is this software?

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could access sensitive information from SharePoint Server memory, potentially obtaining credentials, configuration data, or other sensitive information that could lead to further system compromise.

🟠

Likely Case

An authenticated malicious insider or compromised account could extract limited information from memory, potentially gaining insights into system configuration or user data.

🟢

If Mitigated

With proper access controls and monitoring, the impact is limited to authorized users who would already have some level of access to the system.

🌐 Internet-Facing: LOW - Exploitation requires authenticated access, making internet-facing systems less vulnerable unless authentication is compromised.

🏢 Internal Only: MEDIUM - Internal attackers with valid credentials pose the primary risk, especially in environments with insufficient access controls.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and ability to run crafted applications on the target system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft's October 2020 security updates for SharePoint Server

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16950

Restart Required: Yes

Instructions:

1. Apply Microsoft's October 2020 security updates for SharePoint Server. 2. Restart affected SharePoint services or servers as required. 3. Verify the update was successfully applied.

🔧 Temporary Workarounds

Restrict application execution

windows

Limit ability to run arbitrary applications on SharePoint servers to authorized administrators only

Use Group Policy or AppLocker to restrict application execution

Enforce least privilege

all

Ensure users only have necessary permissions and cannot run arbitrary applications

Review and tighten SharePoint permissions and local system access

🧯 If You Can't Patch

Implement strict access controls to limit who can authenticate to SharePoint servers
Monitor for unusual application execution or memory access patterns on SharePoint systems

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version against Microsoft's advisory; vulnerable if running unpatched versions from before October 2020

Check Version:

Get-SPFarm | Select BuildVersion (PowerShell) or check Central Administration > Upgrade and Migration > Check product and patch installation status

Verify Fix Applied:

Verify SharePoint Server has October 2020 or later security updates installed

📡 Detection & Monitoring

Log Indicators:

Unusual application execution on SharePoint servers
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unusual outbound data transfers from SharePoint servers

SIEM Query:

source="SharePoint" AND (event_id=4688 OR process_execution) AND user NOT IN (authorized_admin_users)

📊 Metadata

CVE ID: CVE-2020-16950

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Published: October 16, 2020

Last Updated: February 23, 2026

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16950 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16950 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON