A critical remote code execution tracked as CVE-2020-1147 affecting Microsoft Sharepoint servers has been patched by Microsoft. The vulnerability resides in two .NET components, namely DataSet and DataTable, used for managing data sets, and stems from the fact the software fails to check the source markup of XML file input. The vulnerability also exists in the .NET Framework and Visual Studio.

To exploit the vulnerability, an attacker, even with low privilege, could upload a specially crafted document to a server using a vulnerable product to process content. Since the vulnerability also exists in several additional .NET-based applications and could therefore be exploited against additional products besides SharePoint, it is important to apply the patch as soon as possible.

In many cases, Sharepoint servers are integrated in the Active Directory service and are exposed to the Internet making it a relatively easy and popular target among threat actors. Since 2019, several nation-state actors have been reported exploiting another vulnerability in Sharepoint servers (CVE-2019-0604). It is estimated that the CVE-2020-1147 vulnerability may eventually gain similar popularity.


A. Nature of Attack

What are the affected systems of this vulnerability:

.NET Core
.NET Framework
SharePoint Enterprise Server:

  • SharePoint Enterprise Server 2013
  • SharePoint Enterprise Server 2016

SharePoint Server:

  • SharePoint Enterprise Server 2013
  • SharePoint Enterprise Server 2016

Visual Studio:

  • Visual Studio 2017
  • Visual Studio 2019


B. Actions to be Taken

CERT-PH recommends the following actions be taken:

Immediately test and apply the corresponding patched versions of the affected system from the latest monthly update published by Microsoft (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147)