Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Microsoft SharePoint Server Replay-Based Remote Code Execution

IdentifiersCVE-2021-27076CWE-294

CVE-2021-27076 is a Microsoft SharePoint Server remote code execution vulnerability described in the provided content as a replay-style integrity bypass affecting SharePoint. The writeup frames the bug as an instance where authenticated or trusted data can be captured in one context and reused in another, allowing SharePoint to accept reused state in a way that does not uniquely bind the original sender’s intent, timing, or transaction context. The content explicitly identifies the issue as ZDI-21-276 / CVE-2021-27076 and discusses it as foundational to later SharePoint research. However, the specific vulnerable SharePoint function, exact request path, and precise code-level sink for CVE-2021-27076 are not provided in the supplied material.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to remote code execution on a Microsoft SharePoint Server instance. The supplied content also shows this vulnerability being used in the wild to compromise a SharePoint service hosted under IIS, after which attackers executed post-exploitation activity via the IIS worker process and established persistence using DLL sideloading and a scheduled task. The direct impact of the vulnerability itself is server-side code execution in the SharePoint/IIS context, which can enable full compromise of the SharePoint application server and subsequent follow-on actions.

Mitigation

If you can’t patch tonight, do this now.

Specific mitigation guidance for CVE-2021-27076 is not provided in the supplied content. In the absence of patch-specific details, practical interim measures would include restricting external access to SharePoint, minimizing exposure of internet-facing SharePoint services, monitoring IIS/SharePoint activity for exploitation attempts and anomalous child-process or persistence behavior, and hunting for post-exploitation artifacts such as suspicious DLL sideloading and scheduled tasks. However, the authoritative mitigation details are not available in the provided material.

Remediation

Patch, then assume compromise.

The specific vendor remediation details for CVE-2021-27076 are not provided in the supplied content. The appropriate remediation is to apply Microsoft's security updates for CVE-2021-27076 to affected SharePoint Server deployments. Because the content does not include patch KBs, affected versions, or configuration-specific guidance, further remediation detail is currently not available from the provided material.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationBusiness Productivity Serversapplication
Microsoft CorporationSharepoint Foundationapplication
Microsoft CorporationSharepoint Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
malware newsNews
Jun 24, 2026
StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader - Malware News - Malware Analysis, News and Indicators

A Microsoft SharePoint vulnerability exploited in the campaign and specifically referenced in a later intrusion example.

Read more
securelistNews
Oct 6, 2025
How a machine-learning model in Kaspersky SIEM detected DLL-hijacking incidents | Securelist

A SharePoint vulnerability leveraged to compromise a SharePoint service running on IIS, after which attackers deployed files and used DLL sideloading for execution/persistence (including a Cobalt Strike implant).

Read more
starlabs sgNews
May 12, 2022
New Wine in Old Bottle - Microsoft Sharepoint Post-Auth Deserialization RCE (CVE-2022-29108) | STAR Labs

A SharePoint replay-style deserialization vulnerability referenced as using the same session-data storage and reuse technique as the vulnerabilities discussed in the article.

Read more
securelistNews
May 13, 2021
StrikeShark: a new campaign involving a custom SharkLoader and Cobalt Strike Beacon | Securelist

A Microsoft SharePoint remote code execution vulnerability targeted by the threat actor; the report also describes post-exploitation activity in a case involving this CVE.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware4

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2021-27076
NVD
nvd.nist.gov/vuln/detail/CVE-2021-27076
MITRE CWE · CWE-294
cwe.mitre.org
Patch
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27076
Third Party Advisory
zerodayinitiative.com/advisories/ZDI-21-276