Skip to content
Home » Blog » Critical SharePoint vulnerability allows remote attacks without login. Bugs and Fixes.

Critical SharePoint vulnerability allows remote attacks without login. Bugs and Fixes.

Why this matters to your organization ?

  • The attacker can compromise the server with no login, steal cryptographic secrets, deploy malware and persist indefinitely.
  • Since SharePoint connects with AD, SQL Server, file shares and other critical infrastructure, a breach here can lead to access to all organizational data !

What you should do as soon as possible

  1. Apply the emergency security update now for your SharePoint version:
    • Subscription Edition : KB5002768
    • SharePoint Server 2019 : KB5002754
    • SharePoint Server 2016 : KB5002760
  2. Check if the file spinstall0.aspx exists in your SharePoint LAYOUTS directory, this is a strong indicator that the server is already compromised.
  3. Older versions of SharePoint are no more supported so there is no patch available.
    If you are still running SharePoint 2010 or 2013 farms, you should isolate or decommission them until you migrate to a supported SharePoint version.
  4. Rotate ASP.NET machine keys, enable Antimalware Scan Interface (AMSI) and deploy Defender or equivalent endpoint protection across SharePoint servers.

Initially, I was hesitant to install this patch due to potential bugs. However, given the severity of the vulnerability and the risk of unauthenticated remote code execution, we had no choice but to proceed with the update on our several SP 2019 mission critical farms.

Nintex and SharePoint Designer workflows stop working

I was right to be cautious: indeed, we encountered multiple critical bugs after applying the patch.
After installing the security update for SharePoint Server, users have reported that Nintex workflows stopped running. This issue may be related to changes in the web.config file that restrict certain types used by Nintex workflows.

To resolve this, you can modify the web.config file to authorize the necessary types. Specifically, you might need to add entries under the <authorizedTypes> section to allow types such as System.Int64 and others used by Nintex workflows.

After making these changes, it is recommended to clean the OWSTimer cache.

Follow this post for more information

If you are struggling to fix this issue without success you can consider running the following PowerShell command, to quickly restore Nintex workflow functionality :

$farm= Get-SPFarm
$farm.EnablePreParseSecurityCheckForWorkflow = $false
$farm.Update()

Warning
Disabling this property bypasses a security feature. Use this workaround only if necessary. Always document and monitor such changes.

We encountered the same issue in another environment with critical systems: SharePoint Designer workflows were being cancelled immediately upon start. To resolve it, we ran the same PowerShell script and then re-triggered the cancelled workflow instances.

In this environment, no search results were being returned either. Upon investigation, we found that the Search Service Application was throwing an error.

The fix was straightforward, we ran the SharePoint Configuration Wizard, which resolved the issue.

So, before setting EnablePreParseSecurityCheckForWorkflow to false, make sure to run the SharePoint Configuration Wizard right after applying the security update.

We also faced another issue with Search administration: the Search Service was unable to retrieve the topology. To resolve this, we cleared the OWSTimer cache on all SharePoint Search servers, which restored functionality.

It was definitely a day filled with critical bugs, one after another…

Modern page editing issue and fix

We also encountered another issue: we could not edit modern pages. In the comments of Stefan Goßner’s blog about this security update, several users reported the same problem after installing this KB. He suggested downloading the corresponding language pack for the KB (KB5002753 for SP 2019) and then running the SharePoint Configuration Wizard to resolve the issue.

In Summary

  • This SharePoint vulnerability enables unauthenticated remote code execution (RCE) and can lead to full takeover of exposed systems.
  • Only supported SharePoint versions have available patches, unsupported versions remain permanently vulnerable.
  • Searching for the spinstall0.aspx file can help identify potential compromise.
  • After applying the patch, Nintex and SharePoint Designer workflows may fail to start. To resolve this, add the appropriate tags in the web.config file or temporarily run the provided PowerShell script to disable the security check.
  • Modern pages become non-editable after installing the KB. Downloading the corresponding language pack and running the SharePoint Configuration Wizard fixes the issue.
  • Make sure to run the SharePoint Configuration Wizard immediately after applying the patch, before modifying workflow settings such as EnablePreParseSecurityCheckForWorkflow.
  • We also experienced search-related issues: missing results and failure to retrieve topology. In one case, we had to clear the OWSTimer cache on all Search servers to restore functionality.
  • Finally, thoroughly test all custom solutions and workflows to ensure they continue to operate correctly post-patch.