Login Sign Up

CVE-2021-42294

7.2 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary code on Microsoft SharePoint Server by sending specially crafted requests. It affects organizations running vulnerable SharePoint Server versions, potentially enabling attackers to take control of affected systems.

💻 Affected Systems

Products:
  • Microsoft SharePoint Server
Versions: 2019, 2016, 2013
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access; SharePoint Online not affected.

📦 What is this software?

Sharepoint Enterprise Server by Microsoft

View all CVEs affecting Sharepoint Enterprise Server →

Sharepoint Enterprise Server by Microsoft

View all CVEs affecting Sharepoint Enterprise Server →

Sharepoint Foundation by Microsoft

View all CVEs affecting Sharepoint Foundation →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SharePoint Server leading to data theft, lateral movement within network, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive SharePoint data, privilege escalation, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation, authentication controls, and monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access; exploitation details not publicly disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: November 2021 Security Updates

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42294

Restart Required: Yes

Instructions:

1. Apply November 2021 security updates for SharePoint Server. 2. Restart SharePoint services. 3. Verify patch installation via Central Administration.

🔧 Temporary Workarounds

Restrict SharePoint Application Pool Permissions

windows

Reduce privileges of SharePoint application pool accounts to limit potential damage.

Configure IIS Application Pool Identity with minimal privileges

Network Segmentation

all

Isolate SharePoint servers from critical network segments.

Implement firewall rules to restrict SharePoint server communications

🧯 If You Can't Patch

  • Implement strict authentication and authorization controls for SharePoint access.
  • Deploy web application firewall (WAF) with SharePoint-specific rules.

🔍 How to Verify

Check if Vulnerable:

Check SharePoint version and patch level in Central Administration > Upgrade and Migration > Check product and patch installation status.

Check Version:

Get-SPFarm | Select BuildVersion

Verify Fix Applied:

Verify November 2021 security updates are installed via Windows Update history or SharePoint patch status.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PowerShell execution from SharePoint processes
  • Suspicious file uploads to SharePoint
  • Authentication anomalies

Network Indicators:

  • Abnormal outbound connections from SharePoint servers
  • Unexpected PowerShell remoting traffic

SIEM Query:

source="sharepoint" AND (process="powershell" OR command="*Invoke-Expression*" OR file_upload="*.aspx")

📊 Metadata

CVE ID: CVE-2021-42294
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Published: December 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON