Sharepoint Server CVE patch breaks BCS .NET connections

Over the past weekend, SharePoint Server was back in the news! 0-Day vulnerabilty was exploited, some servers were compromised, and Microsoft was scrambling to get the patches out. It was CVE-2025-53770 and a few related vulnerabilities that stirred up the quiet world of SharePoint on-prem. While it was refreshing to see that SharePoint Server is very much alive despite the focus on cloud-based SharePoint Online, the entire affair has underscored that Microsoft doesn’t spend resources on SharePoint Server maintenance as much as before.

As expected, the SharePoint SE patch was released first, followed by patches for SharePoint 2019 and 2016. However, it soon became apparent that the patch caused issues with UI elements on modern pages in SharePoint 2019. It took Microsoft a few more hours to release additional patch for SP2019, and then, finally, SP2016 patches were released too. I don’t want to get into more details (get them on Microsoft’s customer guidance page), because this post is about something that not been clearly documented by Microsoft: the impact on Business Connectivity Services (BCS) with .NET connectors.

The Impact on BCS and .NET Connectors

Business Connectivity Services, previously known as BDC, is a tool that enables SharePoint sites to connect seamlessly with data from external Line-of-Business systems. When released in the 2000s, most mainstream enterprise software did not support REST APIs, making connectors a necessary component for accessing this data. Building a custom .NET library that implemented such a connector was quite common, and a convenient way for software vendors to support SharePoint connectivity. Fast forward to present time, some SharePoint Server farms still rely on BCS because legacy enterprise systems tend to live for a long time. And some old .NET connectors are still churning out data from these systems.

Now, getting back to the CVE-2025-53770 and all the patches hastily released by Microsoft to close it. As some frustrated SharePoint admins found out, these patches are effectively breaking .NET connectors in BCS. There is an error in the logs:

Exception thrown while performing the BDC query in Entity Picker System.InvalidOperationException: 
The Model contains LobSystem (External System) of Type ‘DotNetAssembly’ which is not supported.

Community Feedback and The Issue of Poor Communication

People left some comments about it in Stefan Goßner’s blog, well known in the community.

On that, Stefan responsed with:

I was not able to find any information about DotNetAssembly being disabled or even deprecated. Contrary to Stefan’s statement, .NET connectors were working fine until the patch. Someone on that forum said:

It appears that the DotNetAssembly type has been deprecated for some time, but the enforcement only started with the June 2025 CU.

I haven’t had a chance to test if it got broken in June 2025 CU, July 2025 CU or only with the out-of-band security patch, but it doesn’t change the fact that Microsoft failed to inform their customers about retiring of a component in the product they have been paying for.

While I understand that Microsoft has mostly written-off SharePoint Server, I’m sure that Stefan must realize how many legacy apps out there supported by one or two engineers that still know how to deal with these systems. Even 9 months might not be enough to rebuild some of these apps. And with SharePoint Server 2016 and 2019 going EOL in July 2026 not many companies will spend resources on upgraging BCS connections instead of working on migration to a supported platform. Stefan maintains his position (disclaimer of the blog though that it does not necessarily state or reflect those of Microsoft) in response to another user’s comment that converting .NET connectors to WcF takes time.

The September 2024 CU had some big security hardening changes, but KB articles for SharePoint Server 2016, 2019, and Subscription Edition do not list the retirement or deprecation of DotNetAssembly connectors in BCS. There is a fix for BCS mentioned, but it doesn’t say anything about DotNetAssembly and is not referred in “Known issues in this update” section.

Fixes an issue in which the business data connectivity (BDC) features don’t work correctly after you install the latest .NET cumulative updates.

Conclusion

So here we are. With no clear communication from Microsoft about the removal of functionality, combined with the urgency to patch 0-Day vulnerability - that’s a recipe for an unpleasant surprise in the form of broken legacy LOB connections in SharePoint.

P.S. I would like to emphasize that my intention is not to criticize Stefan Goßner or his work, but rather to highlight the complexities of this situation and the need for improved communication from Microsoft.