Login Sign Up

CVE-2021-27076

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-27076 is a remote code execution vulnerability in Microsoft SharePoint Server that allows authenticated attackers to execute arbitrary code on affected systems. This affects organizations running vulnerable SharePoint Server versions, potentially enabling attackers to gain control of SharePoint servers and access sensitive data.

💻 Affected Systems

Products:
  • Microsoft SharePoint Server
  • Microsoft SharePoint Foundation
Versions: 2013, 2016, 2019
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access to SharePoint; affects both Enterprise and Standard editions.

📦 What is this software?

Business Productivity Servers by Microsoft

View all CVEs affecting Business Productivity Servers →

Sharepoint Foundation by Microsoft

View all CVEs affecting Sharepoint Foundation →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SharePoint server leading to data exfiltration, lateral movement within network, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive SharePoint data, privilege escalation, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation, authentication controls, and monitoring in place.

🌐 Internet-Facing: HIGH - Internet-facing SharePoint servers are directly exploitable by authenticated attackers.
🏢 Internal Only: MEDIUM - Internal SharePoint servers require authenticated access but pose significant risk if compromised.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access to SharePoint; proof-of-concept code has been publicly released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: March 2021 security updates

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27076

Restart Required: Yes

Instructions:

1. Apply March 2021 security updates for SharePoint Server 2013/2016/2019. 2. Restart SharePoint services. 3. Verify patch installation through Windows Update history.

🔧 Temporary Workarounds

Restrict SharePoint Access

all

Limit SharePoint access to trusted users only and implement strong authentication controls.

Network Segmentation

all

Isolate SharePoint servers from critical network segments and implement firewall rules.

🧯 If You Can't Patch

  • Implement strict access controls and multi-factor authentication for all SharePoint users.
  • Deploy network monitoring and intrusion detection systems focused on SharePoint traffic patterns.

🔍 How to Verify

Check if Vulnerable:

Check SharePoint version and verify if March 2021 security updates are installed.

Check Version:

Get-SPFarm | Select BuildVersion (PowerShell) or check Central Administration > Upgrade and Migration > Check product and patch installation status

Verify Fix Applied:

Verify installation of KB5000871 (SharePoint 2013), KB5000872 (SharePoint 2016), or KB5000873 (SharePoint 2019).

📡 Detection & Monitoring

Log Indicators:

  • Unusual PowerShell execution from SharePoint processes
  • Suspicious file uploads to SharePoint
  • Authentication anomalies

Network Indicators:

  • Abnormal outbound connections from SharePoint servers
  • Unexpected PowerShell remoting traffic

SIEM Query:

source="sharepoint" AND (process="powershell" OR cmdline="*Invoke-Expression*" OR cmdline="*IEX*")

📊 Metadata

CVE ID: CVE-2021-27076
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: March 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON