diff --git a/documentation/modules/exploit/windows/http/sharepoint_unsafe_control.md b/documentation/modules/exploit/windows/http/sharepoint_unsafe_control.md
index 0a50ba7080..d1cac16471 100644
--- a/documentation/modules/exploit/windows/http/sharepoint_unsafe_control.md
+++ b/documentation/modules/exploit/windows/http/sharepoint_unsafe_control.md
@@ -55,6 +55,11 @@ Set this to the ViewState validation key if you have it.
 
 Set this to a SharePoint cookie if you have one. This is primarily useful for form auth.
 
+### SP_LIST
+
+Set this to the title of any valid SPlist on the targeted SharePoint site. The `Documents` SPlist is typically a safe
+option.
+
 ## Scenarios
 
 ### SharePoint 2019 on Windows Server 2016
diff --git a/modules/exploits/windows/http/sharepoint_ssi_viewstate.rb b/modules/exploits/windows/http/sharepoint_ssi_viewstate.rb
index 704f0c6c14..9d5e44b6a0 100644
--- a/modules/exploits/windows/http/sharepoint_ssi_viewstate.rb
+++ b/modules/exploits/windows/http/sharepoint_ssi_viewstate.rb
@@ -143,8 +143,12 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
   def exploit
-    unless username && password
-      fail_with(Failure::BadConfig, 'HttpUsername and HttpPassword are required for exploitation')
+    if (username.blank? && password.blank?)
+      if cookie.blank?
+        fail_with(Failure::BadConfig, 'HttpUsername and HttpPassword or COOKIE are required for exploitation')
+      end
+
+      print_warning('Using the specified COOKIE for authentication')
     end
 
     if (@validation_key = datastore['VALIDATION_KEY'])
diff --git a/modules/exploits/windows/http/sharepoint_unsafe_control.rb b/modules/exploits/windows/http/sharepoint_unsafe_control.rb
index f0c295d519..d993a85c93 100644
--- a/modules/exploits/windows/http/sharepoint_unsafe_control.rb
+++ b/modules/exploits/windows/http/sharepoint_unsafe_control.rb
@@ -145,8 +145,12 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
   def exploit
-    unless username && password
-      fail_with(Failure::BadConfig, 'HttpUsername and HttpPassword are required for exploitation')
+    if (username.blank? && password.blank?)
+      if cookie.blank?
+        fail_with(Failure::BadConfig, 'HttpUsername and HttpPassword or COOKIE are required for exploitation')
+      end
+
+      print_warning('Using the specified COOKIE for authentication')
     end
 
     if (@validation_key = datastore['VALIDATION_KEY'])