As part of its October monthly software updates and security fixes, Microsoft has patched a critical-severity flaw found in Microsoft SharePoint Server that could enable remote attackers to arbitrary code execution in the context of the local administrator on affected installations of SharePoint server.

Tracked as CVE-2020-16952, a remote code execution vulnerability that exists in Microsoft SharePoint when the software fails to check the source markup of an application package. To exploit the vulnerability, attackers must upload a specially crafted SharePoint application package to an affected version of SharePoint. Successful exploitation would enable attackers to run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

As of this writing, proof-of-concept (POC) code has been published and is publicly available, meaning that exploitation of the flaw can occur at vulnerable systems. Furthermore, a report made by British Cybersecurity Authority indicates that there are active cases of exploitation in various local organizations. In addition, two flaws found in SharePoint were listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Top 10 Routinely Exploited Vulnerabilities.


A. Nature of the Attack

What are the affected versions of this vulnerability:

Microsoft SharePoint:

  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019


B. Actions to be Taken

CERT-PH recommends the following actions be taken:

Immediately test and apply the corresponding patched versions of the affected system from the latest monthly update published by Microsoft. (