CVE-2021-31964 – CVE-2021-31964 is a spoofing vulnerability in M... (How to Fix)

Q: What is the severity of CVE-2021-31964?

CVE-2021-31964 has a CVSS score of 7.6 (HIGH). CVE-2021-31964 is a spoofing vulnerability in Microsoft SharePoint Server that allows an attacker to trick users into clicking malicious links that appear to originate from trusted SharePoint sites. This affects organizations running vulnerable SharePoint Server versions, potentially enabling phishing attacks against authenticated users.

📋 TL;DR

CVE-2021-31964 is a spoofing vulnerability in Microsoft SharePoint Server that allows an attacker to trick users into clicking malicious links that appear to originate from trusted SharePoint sites. This affects organizations running vulnerable SharePoint Server versions, potentially enabling phishing attacks against authenticated users.

💻 Affected Systems

Products:

Microsoft SharePoint Server

Versions: 2013, 2016, 2019

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: SharePoint Online is not affected. Only on-premises SharePoint Server installations are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Successful exploitation could lead to credential theft, session hijacking, or malware deployment through convincing phishing campaigns that bypass typical user skepticism by appearing as legitimate SharePoint links.

🟠

Likely Case

Attackers craft convincing phishing emails with SharePoint links that redirect to malicious sites, leading to credential harvesting or malware installation when users click them.

🟢

If Mitigated

With proper user awareness training and email filtering, impact is limited to occasional successful phishing attempts that can be contained through incident response.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (clicking a link) but is technically simple once the vulnerability is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: June 2021 security updates

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31964

Restart Required: Yes

Instructions:

1. Download the June 2021 security update for your SharePoint version from Microsoft Update Catalog. 2. Apply the update following Microsoft's SharePoint patching procedures. 3. Restart SharePoint services as required.

🔧 Temporary Workarounds

URL validation configuration

windows

Configure SharePoint to validate and sanitize URLs more strictly

🧯 If You Can't Patch

Implement strict email filtering to detect and block SharePoint link spoofing attempts
Enhance user awareness training specifically about SharePoint link verification and phishing risks

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version and compare against patched versions (post-June 2021 updates)

Check Version:

Get-SPFarm | Select BuildVersion

Verify Fix Applied:

Verify that June 2021 security updates are installed via Windows Update history or SharePoint Central Administration

📡 Detection & Monitoring

Log Indicators:

Unusual URL redirect patterns in SharePoint logs
Multiple failed authentication attempts following SharePoint link clicks

Network Indicators:

HTTP redirects from SharePoint to external domains
Unusual outbound traffic patterns after SharePoint access

SIEM Query:

source="sharepoint*" AND (url_redirect OR http_302) AND dest_domain NOT IN (allowed_domains)

📊 Metadata

CVE ID: CVE-2021-31964

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Published: June 8, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31964 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31964 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON