ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-33110 — Microsoft SharePoint Server Remote Code Execution via Unsafe Deserialization

A short review of CVE-2026-33110, a CVSS 8.8 deserialization vulnerability in Microsoft SharePoint Server that allows authenticated users with Site Member permissions to achieve remote code execution. Includes patch details for all affected SharePoint editions.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: CVE-2026-33110 — Microsoft SharePoint Server Remote Code Execution via Unsafe Deserialization
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A deserialization flaw in Microsoft SharePoint Server, patched in the May 2026 Patch Tuesday cycle, allows any authenticated user with basic Site Member permissions to execute arbitrary code remotely on the server. With a CVSS 3.1 base score of 8.8 and high impact across confidentiality, integrity, and availability, CVE-2026-33110 is one of six Remote Code Execution vulnerabilities addressed in SharePoint this month, arriving just weeks after a separate SharePoint zero day (CVE-2026-32201) was confirmed exploited in the wild during April 2026.

Technical Information

The root cause of CVE-2026-33110 is deserialization of untrusted data, classified under CWE-502. In .NET applications like SharePoint, deserialization vulnerabilities arise when the application accepts serialized objects from user controlled input and reconstructs them without adequate validation. If an attacker can supply a crafted serialized payload, the deserialization process can instantiate arbitrary objects and trigger code execution on the server.

The vulnerability is network accessible (Attack Vector: Network) and has low attack complexity, meaning an attacker does not need specialized knowledge of the target environment to achieve repeatable exploitation. The CVSS 3.1 vector string provided by Microsoft is: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting high impact across confidentiality, integrity, and availability.

A key characteristic of this flaw is the privilege requirement. The attacker must be authenticated, but only needs Site Member permissions, which is the default permission level granted to standard users in most SharePoint deployments. No user interaction is required; the vulnerable server can be compromised solely at the attacker's initiative without any action from a victim or administrator.

Attack Flow

From an attack flow perspective, exploitation would proceed as follows:

  1. The attacker authenticates to the target SharePoint server using valid credentials with at least Site Member level access.
  2. The attacker crafts a malicious serialized payload targeting the vulnerable deserialization endpoint within SharePoint.
  3. The attacker sends the payload over the network to the SharePoint server.
  4. The server deserializes the untrusted data without proper validation, causing the attacker's code to execute in the context of the SharePoint application.
  5. Depending on the server configuration and service account privileges, the attacker may achieve full control over the SharePoint server, access sensitive documents, pivot laterally within the network, or establish persistence.

The specific vulnerable component within SharePoint has not been publicly disclosed by Microsoft, and no public proof of concept exploit payloads are available at this time. The impact ratings (High for confidentiality, integrity, and availability) indicate that successful exploitation grants the attacker substantial control over the affected system.

Patch Information

Microsoft has released official patches for all supported on premises editions of SharePoint Server. There are no workarounds; applying the patch is the only vendor recommended mitigation. The MSRC advisory marks the Remediation Level as Official Fix with a Customer Action status of Required, meaning Microsoft considers this a mandatory security update.

The following Knowledge Base updates address CVE-2026-33110:

ProductKB ArticlePatched BuildReplaces
SharePoint Server Subscription EditionKB500286316.0.19725.20280KB5002853
SharePoint Server 2019KB500287016.0.10417.20128KB5002854
SharePoint Enterprise Server 2016KB500286816.0.5552.1002KB5002861

These cumulative updates are distributed through three channels: Microsoft Update (automatic delivery when automatic updates are enabled), the Microsoft Update Catalog (for manual standalone package download), and the Microsoft Download Center (direct download links). To verify successful patching, administrators should check their SharePoint build number against the patched builds listed above.

Workflow Manager Prerequisite

All three KB articles warn that if your farm currently runs SharePoint Workflow Manager, you must first install the Workflow Manager update (KB5002799) before applying the May 2026 cumulative update. For farms running the Classic version of Workflow Manager, a debug flag must also be enabled post installation using the following PowerShell commands:

$farm = Get-SPFarm $farm.ServerDebugFlags.Add(53601) $farm.update() iisreset

Additional Notes

These cumulative updates are superseding patches: KB5002863 replaces KB5002853, KB5002870 replaces KB5002854, and KB5002868 replaces KB5002861. If you skipped the previous month's update, the May 2026 patch includes those prior fixes as well. The same KB number (KB5002868) applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016, covering both editions with a single update.

Affected Systems and Versions

The following Microsoft SharePoint Server products are affected:

ProductSeverityPatched Build
Microsoft SharePoint Enterprise Server 2016Important16.0.5552.1002
Microsoft SharePoint Server 2019Important16.0.10417.20128
Microsoft SharePoint Server Subscription EditionImportant16.0.19725.20280

All on premises installations of these SharePoint Server editions running builds prior to the patched versions listed above are vulnerable. The vulnerability requires network access and authentication with at least Site Member permissions.

Vendor Security History

SharePoint has been a frequent subject of security advisories from Microsoft. In the May 2026 Patch Tuesday release alone, Microsoft addressed six distinct Remote Code Execution vulnerabilities in SharePoint, all rated with a CVSS score of 8.8. This concentration of high severity flaws in a single product within one patch cycle is notable.

More concerning is the recent history of active exploitation. During the April 2026 Patch Tuesday cycle, CVE-2026-32201, a different SharePoint vulnerability, was confirmed as being exploited in the wild as a zero day. This pattern of recurring critical SharePoint vulnerabilities, combined with demonstrated attacker interest, reinforces the need for organizations to treat SharePoint patching as a high priority activity.

The broader May 2026 Patch Tuesday addressed 120 vulnerabilities across the Microsoft ecosystem, though none were zero days exploited in the wild at the time of release.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization