CVE-2020-16951 – This is a remote code execution vulnerability i... (How to Fix)

Q: What is the severity of CVE-2020-16951?

CVE-2020-16951 has a CVSS score of 8.6 (HIGH). This is a remote code execution vulnerability in Microsoft SharePoint that allows attackers to run arbitrary code by uploading specially crafted application packages. It affects SharePoint servers where users can upload packages, potentially compromising the entire SharePoint farm.

📋 TL;DR

This is a remote code execution vulnerability in Microsoft SharePoint that allows attackers to run arbitrary code by uploading specially crafted application packages. It affects SharePoint servers where users can upload packages, potentially compromising the entire SharePoint farm.

💻 Affected Systems

Products:

Microsoft SharePoint Server
Microsoft SharePoint Foundation

Versions: SharePoint Server 2019, SharePoint Server 2016, SharePoint Server 2013 SP1, SharePoint Server 2010 SP2

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires SharePoint application package upload capability enabled. SharePoint Online is not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SharePoint farm, data exfiltration, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to SharePoint data, privilege escalation within SharePoint environment, and potential server compromise.

🟢

If Mitigated

Limited to authenticated user access only, with proper upload restrictions and monitoring in place.

🌐 Internet-Facing: HIGH - SharePoint servers exposed to the internet are prime targets for exploitation.

🏢 Internal Only: MEDIUM - Requires authenticated user access but internal threats or compromised accounts can exploit it.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated user with package upload permissions. Exploit code has been publicly released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2020 security updates

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16951

Restart Required: Yes

Instructions:

1. Apply October 2020 security updates for SharePoint. 2. Restart SharePoint services. 3. Verify patch installation through Windows Update or manual installation.

🔧 Temporary Workarounds

Restrict application package uploads

windows

Disable or restrict SharePoint application package upload functionality for non-administrative users.

Implement strict upload validation

windows

Add additional validation layers for SharePoint application packages before processing.

🧯 If You Can't Patch

Implement strict access controls on SharePoint application package upload functionality
Monitor and audit all SharePoint application package uploads and processing

🔍 How to Verify

Check if Vulnerable:

Check SharePoint version and verify if October 2020 security updates are installed.

Check Version:

Get-SPFarm | Select BuildVersion

Verify Fix Applied:

Verify SharePoint version is updated with October 2020 patches and test application package upload functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual SharePoint application package uploads
Failed package validation attempts
Suspicious PowerShell execution in SharePoint context

Network Indicators:

Unusual outbound connections from SharePoint servers
Unexpected file transfers from SharePoint

SIEM Query:

source="SharePoint" AND (event_id="6398" OR event_id="6399") AND message="*package*"

📊 Metadata

CVE ID: CVE-2020-16951

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CWE: CWE-346

Published: October 16, 2020

Last Updated: February 23, 2026

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16951 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16951 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-16951, you might also want to check these: