Login Sign Up

CVE-2021-38651

7.6 HIGH

📋 TL;DR

CVE-2021-38651 is a spoofing vulnerability in Microsoft SharePoint Server that allows an attacker to trick users into clicking malicious links that appear to originate from trusted SharePoint sites. This affects organizations running vulnerable SharePoint Server versions. Attackers can exploit this to conduct phishing attacks or redirect users to malicious sites.

💻 Affected Systems

Products:
  • Microsoft SharePoint Server
Versions: Microsoft SharePoint Server 2019, SharePoint Server Subscription Edition
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: SharePoint Online (Office 365) is not affected. Only on-premises SharePoint Server installations are vulnerable.

📦 What is this software?

Sharepoint Enterprise Server by Microsoft

View all CVEs affecting Sharepoint Enterprise Server →

Sharepoint Foundation by Microsoft

View all CVEs affecting Sharepoint Foundation →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Successful exploitation could lead to credential theft, malware installation, or data exfiltration through convincing phishing campaigns that appear to originate from legitimate SharePoint sites.

🟠

Likely Case

Attackers create convincing phishing emails with SharePoint links that redirect to malicious sites, potentially compromising user credentials or delivering malware.

🟢

If Mitigated

With proper URL filtering, user awareness training, and network segmentation, the impact is limited to potential user confusion or minor inconvenience.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (clicking a link). The vulnerability is in how SharePoint handles URL validation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security updates released in September 2021 patch cycle

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38651

Restart Required: Yes

Instructions:

1. Download the September 2021 security update for SharePoint Server from Microsoft Update Catalog. 2. Apply the update to all SharePoint servers. 3. Restart SharePoint services. 4. Test functionality after patching.

🔧 Temporary Workarounds

URL Filtering and Monitoring

all

Implement web filtering to block suspicious SharePoint URLs and monitor for unusual redirect patterns.

User Awareness Training

all

Train users to verify URLs before clicking, especially for SharePoint links in emails.

🧯 If You Can't Patch

  • Implement strict URL filtering at network perimeter to detect and block spoofed SharePoint URLs
  • Enable enhanced logging on SharePoint servers and monitor for suspicious URL patterns or redirects

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version against affected versions (2019 and Subscription Edition pre-September 2021 patches).

Check Version:

Get-SPFarm | Select BuildVersion (PowerShell) or check Central Administration > Upgrade and Migration > Check product and patch installation status

Verify Fix Applied:

Verify that September 2021 security updates are installed via Windows Update history or SharePoint Central Administration.

📡 Detection & Monitoring

Log Indicators:

  • Unusual URL patterns in SharePoint logs
  • Multiple redirects from SharePoint URLs to external domains
  • Increased failed authentication attempts following SharePoint link clicks

Network Indicators:

  • HTTP 302 redirects from SharePoint to unexpected domains
  • Unusual outbound traffic patterns following SharePoint access

SIEM Query:

source="sharepoint_logs" AND (url="*redirect*" OR url="*spoof*" OR status=302)

📊 Metadata

CVE ID: CVE-2021-38651
CVSS v3 Score: 7.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Published: September 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON