CVE-2020-1147

HIGH KEV

.NET Framework, SharePoint Server, and Visual Studio - Remote Code Execution via XML Input Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-1147 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 3 public exploits from researchers including Podalirius, West Shepherd, Steven Seeley, Soroush Dalili, Spencer McIntyre, including a Metasploit module exploits/windows/http/sharepoint_data_deserialization.

AI-analyzed exploit summary This exploit leverages a .NET deserialization vulnerability in Microsoft SharePoint Server (CVE-2020-1147) to achieve remote code execution. It uses a crafted DataSet payload with a gadget chain to trigger arbitrary command execution via the LosFormatter class.

Description

A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'.

Exploits (3)

exploitdb WORKING POC
by Podalirius · pythonwebappsaspx
https://www.exploit-db.com/exploits/50151

This exploit leverages a .NET deserialization vulnerability in Microsoft SharePoint Server (CVE-2020-1147) to achieve remote code execution. It uses a crafted DataSet payload with a gadget chain to trigger arbitrary command execution via the LosFormatter class.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint Server 2010/2013/2016/2019
Auth required
Prerequisites: Valid SharePoint credentials · Access to the target SharePoint instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by West Shepherd · pythonwebappsaspx
https://www.exploit-db.com/exploits/48747

This exploit leverages a .NET deserialization vulnerability in Microsoft SharePoint Server (CVE-2020-1147) to achieve remote code execution. It uses a crafted DataSet payload with a gadget chain to trigger arbitrary command execution via the LosFormatter class.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint Server 2010/2013/2016/2019
Auth required
Prerequisites: Valid SharePoint credentials · Access to the target SharePoint instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Steven Seeley, Soroush Dalili, Spencer McIntyre · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/sharepoint_data_deserialization.rb

This Metasploit module exploits a deserialization vulnerability in SharePoint (CVE-2020-1147) by crafting a malicious DataSet payload to achieve remote code execution. It leverages the TextFormattingRunProperties gadget chain and LosFormatter for deserialization.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint
Auth required
Prerequisites: Authenticated access to SharePoint · Valid credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.exploitalert.com/view-details.html?id=35992

Scores

CVSS v3 7.8
EPSS 0.9343
EPSS Percentile 99.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-11-03
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2022-3898
Status published
Products (32)
microsoft/.net_core 2.1
microsoft/.net_core 3.1
microsoft/.net_framework 2.0 sp2
microsoft/.net_framework 3.0 sp2
microsoft/.net_framework 3.5
microsoft/.net_framework 4.6.2
microsoft/.net_framework 4.7
microsoft/.net_framework 4.7.1
microsoft/.net_framework 4.7.2
microsoft/.net_framework 4.6
... and 22 more
Published Jul 14, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026