Login Sign Up

CVE-2021-34520

8.1 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Microsoft SharePoint Server by deserializing untrusted data. It affects organizations running vulnerable SharePoint Server versions, potentially enabling attackers to take control of affected systems.

💻 Affected Systems

Products:
  • Microsoft SharePoint Server
Versions: 2019, 2016, 2013
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: SharePoint Server 2010 is not affected. SharePoint Online (Office 365) is not affected.

📦 What is this software?

Sharepoint Foundation by Microsoft

View all CVEs affecting Sharepoint Foundation →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SharePoint Server leading to data theft, lateral movement within the network, and deployment of ransomware or other malware.

🟠

Likely Case

Unauthorized access to sensitive SharePoint data, installation of backdoors, and potential privilege escalation within the SharePoint environment.

🟢

If Mitigated

Limited impact with proper network segmentation, application controls, and monitoring in place, though the vulnerability still presents a significant risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authentication to SharePoint, but standard user credentials may be sufficient. The vulnerability involves deserialization of untrusted data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2021 security updates

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34520

Restart Required: Yes

Instructions:

1. Apply the July 2021 security update for SharePoint Server from Microsoft Update. 2. Restart the SharePoint Server. 3. Verify the update was applied successfully.

🔧 Temporary Workarounds

Disable SharePoint Designer

windows

Restrict use of SharePoint Designer which may be involved in exploitation vectors

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate SharePoint servers from critical assets
  • Enforce strong authentication requirements and monitor for unusual authentication patterns

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version and compare against patched versions. Unpatched versions from before July 2021 are vulnerable.

Check Version:

Get-SPFarm | Select BuildVersion

Verify Fix Applied:

Verify that the July 2021 security update is installed via Windows Update history or SharePoint version information.

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication patterns to SharePoint
  • Unexpected process execution on SharePoint servers
  • Suspicious deserialization events in application logs

Network Indicators:

  • Unusual outbound connections from SharePoint servers
  • Suspicious PowerShell or command execution traffic

SIEM Query:

source="sharepoint" AND (event_id=6398 OR event_id=6399) AND process_execution="powershell.exe"

📊 Metadata

CVE ID: CVE-2021-34520
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-502
Published: July 14, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34520, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)