Login Sign Up

CVE-2021-26420

7.1 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-26420 is a remote code execution vulnerability in Microsoft SharePoint Server that allows authenticated attackers to execute arbitrary code on affected servers. This affects organizations running vulnerable SharePoint Server versions, potentially compromising sensitive data and server integrity.

💻 Affected Systems

Products:
  • Microsoft SharePoint Server
  • Microsoft SharePoint Foundation
Versions: 2010, 2013, 2016, 2019
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access; SharePoint Online not affected.

📦 What is this software?

Sharepoint Enterprise Server by Microsoft

View all CVEs affecting Sharepoint Enterprise Server →

Sharepoint Foundation by Microsoft

View all CVEs affecting Sharepoint Foundation →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive SharePoint data, privilege escalation, and limited code execution within SharePoint context.

🟢

If Mitigated

Attack blocked at perimeter or through authentication controls, with minimal impact due to proper segmentation.

🌐 Internet-Facing: HIGH - SharePoint servers often exposed externally for collaboration, making them prime targets.
🏢 Internal Only: MEDIUM - Internal attackers with SharePoint access could exploit, but requires authentication.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access; exploit details not publicly available but likely weaponized by threat actors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: March 2021 security updates

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26420

Restart Required: Yes

Instructions:

1. Apply March 2021 security updates for SharePoint Server. 2. Restart SharePoint services. 3. Verify patch installation via Windows Update history.

🔧 Temporary Workarounds

Restrict SharePoint access

all

Limit SharePoint access to trusted users only and implement strict authentication controls.

Network segmentation

all

Isolate SharePoint servers from critical network segments and implement firewall rules.

🧯 If You Can't Patch

  • Implement strict access controls and monitor for suspicious SharePoint activity.
  • Deploy web application firewall (WAF) rules to block suspicious SharePoint requests.

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version and verify if March 2021 security updates are installed.

Check Version:

Get-SPFarm | Select BuildVersion

Verify Fix Applied:

Verify March 2021 security updates are installed via Windows Update history or PowerShell: Get-HotFix -Id KB5000871

📡 Detection & Monitoring

Log Indicators:

  • Unusual SharePoint activity patterns
  • Suspicious file uploads or server-side code execution attempts
  • Authentication anomalies

Network Indicators:

  • Abnormal SharePoint web service requests
  • Unexpected outbound connections from SharePoint servers

SIEM Query:

source="sharepoint" AND (event_id=6398 OR event_id=6399) AND (process_execution OR file_upload)

📊 Metadata

CVE ID: CVE-2021-26420
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Published: June 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON