Login Sign Up

CVE-2021-41344

8.1 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-41344 is a remote code execution vulnerability in Microsoft SharePoint Server that allows authenticated attackers to execute arbitrary code on affected systems. This vulnerability affects SharePoint Server installations where attackers can upload specially crafted files. Organizations using vulnerable SharePoint Server versions are at risk.

💻 Affected Systems

Products:
  • Microsoft SharePoint Server
Versions: Microsoft SharePoint Server 2019, SharePoint Server Subscription Edition
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access to SharePoint. SharePoint Online is not affected.

📦 What is this software?

Sharepoint Enterprise Server by Microsoft

View all CVEs affecting Sharepoint Enterprise Server →

Sharepoint Foundation by Microsoft

View all CVEs affecting Sharepoint Foundation →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the SharePoint Server with potential lateral movement to other systems in the network, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to SharePoint data, privilege escalation within SharePoint, and potential execution of malicious code within the SharePoint application context.

🟢

If Mitigated

Limited impact with proper network segmentation, application whitelisting, and minimal privilege configurations preventing lateral movement.

🌐 Internet-Facing: HIGH - SharePoint servers often face the internet for collaboration, making them prime targets for exploitation.
🏢 Internal Only: MEDIUM - Internal attackers with SharePoint access could exploit this, but requires authentication which reduces some risk.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access to SharePoint. The vulnerability involves improper handling of file uploads leading to code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2021 Security Update for SharePoint Server

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41344

Restart Required: Yes

Instructions:

1. Download the October 2021 security update for SharePoint Server from Microsoft Update Catalog. 2. Apply the update to all SharePoint servers. 3. Restart SharePoint services or the server as required. 4. Test SharePoint functionality after patching.

🔧 Temporary Workarounds

Restrict file upload permissions

windows

Limit which users can upload files to SharePoint to reduce attack surface

Implement file type restrictions

windows

Configure SharePoint to block potentially dangerous file types from being uploaded

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate SharePoint servers from critical systems
  • Deploy application control solutions to prevent execution of unauthorized code on SharePoint servers

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version and compare against patched versions. Vulnerable versions are pre-October 2021 updates.

Check Version:

Get-SPFarm | Select BuildVersion in SharePoint Management Shell

Verify Fix Applied:

Verify that October 2021 security update for SharePoint Server is installed via Windows Update history or SharePoint Central Administration.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file upload patterns in SharePoint logs
  • Unexpected process execution on SharePoint servers
  • Authentication attempts followed by file upload activities

Network Indicators:

  • Unusual outbound connections from SharePoint servers
  • Suspicious file upload traffic patterns

SIEM Query:

source="sharepoint" AND (event_type="file_upload" OR event_type="process_execution") | stats count by user, file_type, process_name

📊 Metadata

CVE ID: CVE-2021-41344
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Published: October 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON