CVE-2021-40487: 
vulnerability analysis and mitigation

Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-40487) was disclosed on October 12, 2021. This vulnerability affects multiple versions of Microsoft SharePoint, including SharePoint Enterprise Server 2016, SharePoint Foundation 2013 SP1, and SharePoint Server 2019 (NVD).

The vulnerability exists within the Microsoft.SharePoint.WorkflowActions.SetVariableActivity class. The specific flaw involves the deserialization of untrusted data where a crafted SetVariableActivity element can result in instantiation of an arbitrary .NET type. The vulnerability has received a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (ZDI Advisory).

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft SharePoint. An attacker can leverage this vulnerability to execute code in the context of the web service account. Authentication is required to exploit this vulnerability (ZDI Advisory).

Microsoft has released a security update to address this vulnerability. The fix is included in the October 12, 2021 security update for affected SharePoint versions. Users are advised to apply the security update KB5002029 for SharePoint Enterprise Server 2016 and corresponding updates for other affected versions (Microsoft Support).