CVE-2020-1025

high-risk

Published 2020-07-14

An elevation of privilege vulnerability exists when Microsoft SharePoint Server and Skype for Business Server improperly handle OAuth token validation. An attacker who successfully exploited the vulnerability could bypass authentication and achieve improper access. To exploit this vulnerability, an attacker would need to modify the token. The update addresses the vulnerability by modifying how Microsoft SharePoint Server and Skype for Business Server validate tokens.

Do I need to act?

13.8% chance of exploitation in next 30 days

EPSS score — higher than 86% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (6)

Lync

Sharepoint Enterprise Server

Sharepoint Foundation

Sharepoint Server

Skype For Business

Affected Vendors

Microsoft

References (2)

Patch https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1025

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 12/34 · Low

Exposure 13/34 · Low