CVE-2021-31172 – CVE-2021-31172 is a spoofing vulnerability in M... (How to Fix)

Q: What is the severity of CVE-2021-31172?

CVE-2021-31172 has a CVSS score of 7.1 (HIGH). CVE-2021-31172 is a spoofing vulnerability in Microsoft SharePoint Server that allows an attacker to trick users into performing actions they didn't intend. This affects organizations running vulnerable SharePoint Server versions, potentially leading to unauthorized actions or data exposure.

📋 TL;DR

CVE-2021-31172 is a spoofing vulnerability in Microsoft SharePoint Server that allows an attacker to trick users into performing actions they didn't intend. This affects organizations running vulnerable SharePoint Server versions, potentially leading to unauthorized actions or data exposure.

💻 Affected Systems

Products:

Microsoft SharePoint Server

Versions: Microsoft SharePoint Server 2019, Microsoft SharePoint Server 2016, Microsoft SharePoint Server 2013 Service Pack 1

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: SharePoint Online is not affected. On-premises SharePoint deployments are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could impersonate legitimate users to perform administrative actions, modify content, or access sensitive data without authorization.

🟠

Likely Case

Attackers trick users into clicking malicious links that appear legitimate, leading to unintended actions within SharePoint.

🟢

If Mitigated

With proper authentication controls and user awareness, impact is limited to low-privilege actions by authenticated users.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction and some level of access to SharePoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2021 Security Updates

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31172

Restart Required: Yes

Instructions:

1. Download the May 2021 security update for your SharePoint version from Microsoft Update Catalog. 2. Apply the update to all SharePoint servers. 3. Restart SharePoint services. 4. Test functionality.

🔧 Temporary Workarounds

Disable custom code

windows

Restrict or disable custom code execution in SharePoint to reduce attack surface.

🧯 If You Can't Patch

Implement strict access controls and least privilege principles for SharePoint users.
Enable detailed logging and monitoring for suspicious SharePoint activities.

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version and compare with patched versions in Microsoft advisory.

Check Version:

Get-SPFarm | Select BuildVersion

Verify Fix Applied:

Verify that May 2021 security updates are installed via Windows Update or version check.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns
Suspicious URL requests in SharePoint logs
Unexpected user actions

Network Indicators:

Abnormal traffic patterns to SharePoint web services

SIEM Query:

source="sharepoint" AND (url="*spoof*" OR action="unexpected")

📊 Metadata

CVE ID: CVE-2021-31172

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE: CWE-290

Published: May 11, 2021

Last Updated: February 28, 2025

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31172 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31172 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31172, you might also want to check these: