CVE-2020-1147 Overview
A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. This insecure deserialization vulnerability allows an attacker to execute arbitrary code in the context of the process responsible for deserializing content. The vulnerability specifically affects the DataSet and DataTable types during XML deserialization operations, making it particularly dangerous for web applications that process untrusted XML data.
Critical Impact
This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Successful exploitation allows attackers to achieve remote code execution on affected systems, potentially compromising enterprise SharePoint deployments, development environments, and any application utilizing vulnerable .NET Framework versions.
Affected Products
- Microsoft .NET Core 2.1 and 3.1
- Microsoft .NET Framework 2.0 SP2 through 4.8 across multiple Windows versions
- Microsoft SharePoint Server 2010 SP2, 2013 SP1, 2016, and 2019
- Microsoft SharePoint Enterprise Server 2013 SP1 and 2016
- Microsoft Visual Studio 2017 and 2019
- Microsoft Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 (multiple versions)
- Microsoft Windows Server 2008 SP2/R2 SP1, 2012/R2, 2016, and 2019
Discovery Timeline
- July 14, 2020 - CVE-2020-1147 published to NVD
- October 29, 2025 - Last updated in NVD database
Technical Details for CVE-2020-1147
Vulnerability Analysis
This vulnerability stems from improper handling of XML input during deserialization operations in .NET's DataSet and DataTable classes. When these classes process XML data, they fail to adequately validate the source markup, enabling attackers to inject malicious serialized objects that execute arbitrary code upon deserialization.
The vulnerability is particularly impactful because DataSet and DataTable are commonly used throughout the .NET ecosystem for data manipulation and transfer. SharePoint Server is especially vulnerable due to its extensive use of these components for processing user-supplied data through web services and list operations.
Root Cause
The root cause is an insecure deserialization flaw in how .NET Framework processes XML data. The DataSet.ReadXml() and DataTable.ReadXml() methods do not properly validate the type information embedded within XML payloads. This allows an attacker to craft malicious XML that, when deserialized, instantiates arbitrary .NET types with attacker-controlled properties, leading to code execution.
The vulnerability exists because the XML parser trusts type information provided in the data itself, a classic insecure deserialization pattern where user-controlled input dictates which code gets executed.
Attack Vector
An attacker can exploit this vulnerability by sending a specially crafted XML payload to an application that deserializes it using the vulnerable DataSet or DataTable methods. In the context of SharePoint, this can be achieved through various entry points including web services, list operations, or any functionality that processes XML input.
The attack requires user interaction in some scenarios (such as opening a malicious document) but can be fully remote in server-side contexts like SharePoint. The exploitation technique leverages .NET's type loading mechanism to instantiate dangerous gadget chains that ultimately execute arbitrary commands.
For detailed exploitation techniques, refer to the SharePoint DataSet DataTable Deserialization analysis and the Microsoft SharePoint Server 2019 Remote Code Execution exploit.
Detection Methods for CVE-2020-1147
Indicators of Compromise
- Suspicious XML payloads containing serialized .NET type references, particularly those referencing System.Data.DataSet or System.Data.DataTable with embedded type information
- Anomalous web requests to SharePoint endpoints containing large or obfuscated XML data
- Unexpected process spawning from w3wp.exe (IIS worker process) or SharePoint-related processes
- Evidence of deserialization gadget chains in application logs or memory dumps
Detection Strategies
- Monitor for XML deserialization operations involving untrusted input sources in .NET applications
- Implement web application firewall (WAF) rules to detect malformed or suspicious XML payloads targeting SharePoint and .NET endpoints
- Enable detailed logging for SharePoint web services and review for anomalous XML processing activity
- Deploy endpoint detection to identify unexpected child process creation from web server processes
Monitoring Recommendations
- Configure SIEM alerts for exploit patterns associated with CVE-2020-1147, particularly focusing on SharePoint server activity
- Monitor network traffic for large XML payloads being sent to SharePoint web services
- Review Windows Event Logs for .NET runtime exceptions related to deserialization failures, which may indicate exploitation attempts
- Enable SentinelOne's behavioral AI to detect post-exploitation activity following successful RCE
How to Mitigate CVE-2020-1147
Immediate Actions Required
- Apply Microsoft security updates immediately as this vulnerability is actively exploited in the wild and listed in CISA's KEV catalog
- Prioritize patching SharePoint servers due to their exposure to remote exploitation
- Review and restrict access to SharePoint web services pending patch deployment
- Implement network segmentation to limit lateral movement if exploitation occurs
Patch Information
Microsoft has released security updates addressing this vulnerability. Organizations should apply the patches available through the Microsoft Security Advisory for CVE-2020-1147. The patches address the vulnerability by implementing proper validation of XML input before deserialization in the affected .NET components.
For .NET Core applications, update to patched versions of .NET Core 2.1 and 3.1. For .NET Framework, install the appropriate Windows security updates for your specific Windows version and .NET Framework combination.
Workarounds
- Avoid deserializing DataSet or DataTable objects from untrusted XML sources until patches are applied
- Implement input validation to reject XML containing unexpected type information or suspicious patterns
- Consider using XmlReader with restricted settings instead of direct DataSet.ReadXml() calls for processing XML
- For SharePoint environments, temporarily disable or restrict access to web services that process user-controlled XML input
# Verify .NET Framework patch status on Windows systems
# Check installed hotfixes for July 2020 security updates
wmic qfe list | findstr /i "KB4565489 KB4565479 KB4565627"
# For SharePoint servers, verify SharePoint cumulative update installation
Get-SPFarm | Select BuildVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
