CVE-2020-16952

HIGH NUCLEI

Microsoft SharePoint Server-Side Include and ViewState RCE

Title source: metasploit

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-16952. PoCs published by mr_me, wvu, including Metasploit module exploits/windows/http/sharepoint_ssi_viewstate. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2020-16952, a server-side include (SSI) vulnerability in Microsoft SharePoint to leak the web.config file and forge a malicious ViewState for remote code execution. It requires authentication and targets specific SharePoint versions.

Description

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint. The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.

Exploits (1)

metasploit WORKING POC EXCELLENT

by mr_me, wvu · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/sharepoint_ssi_viewstate.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-16952, a server-side include (SSI) vulnerability in Microsoft SharePoint to leak the web.config file and forge a malicious ViewState for remote code execution. It requires authentication and targets specific SharePoint versions.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft SharePoint 2013, 2016, 2019

Auth required

Prerequisites: Authenticated SharePoint user with page creation privileges · Target SharePoint version within vulnerable build range

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Microsoft SharePoint - Remote Code Execution

HIGHby dwisiswant0

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/159612/Microsoft-SharePoint-SSI-ViewState-Remote-Code-Execution.html

Scores

CVSS v3 8.6

EPSS 0.7098

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Details

CWE

CWE-346

Status published

Products (3)

microsoft/sharepoint_enterprise_server 2016

microsoft/sharepoint_foundation 2013 sp1

microsoft/sharepoint_server 2019

Published Oct 16, 2020

Tracked Since Feb 18, 2026