Introduction
A deserialization flaw in Microsoft SharePoint Server, patched in the May 2026 Patch Tuesday cycle, allows any authenticated user with basic site privileges to execute arbitrary code remotely on the server. With a CVSS 3.1 base score of 8.8, low attack complexity, and no available workarounds, CVE-2026-33112 represents a serious risk for the hundreds of thousands of organizations running on premises SharePoint deployments.
Technical Information
CVE-2026-33112 is caused by the deserialization of untrusted data within Microsoft SharePoint Server, categorized under CWE-502 (Deserialization of Untrusted Data). The full CVSS 3.1 vector string is:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Breaking this down: the attack vector is network based, attack complexity is low, privileges required are low (no administrative access needed), no user interaction is required, and the impact is high across all three pillars of confidentiality, integrity, and availability. The scope is unchanged, meaning the vulnerability's impact is confined to the vulnerable component's security authority, though in practice that component is the SharePoint server itself.
Root Cause
The core issue is that SharePoint accepts serialized data from authenticated users and deserializes it without adequate validation. When an application deserializes untrusted input, an attacker can craft a malicious serialized object that, upon deserialization, triggers unintended operations including arbitrary code execution. This is a well understood vulnerability class in .NET environments, and SharePoint's server side processing of user supplied serialized data creates a direct path to code execution.
Attack Flow
Based on the available advisory details and analysis from the Zero Day Initiative, the exploitation path works as follows:
-
Authentication: The attacker authenticates to the target SharePoint server. Only low level privileges are required. As the Zero Day Initiative notes, anyone with site privileges possesses the necessary authentication to exploit this flaw. A Site Owner role is sufficient.
-
Payload Construction: The attacker crafts a malicious serialized object designed to execute arbitrary commands when deserialized by the SharePoint server.
-
Delivery: The attacker submits the crafted payload to the vulnerable SharePoint endpoint over the network. No user interaction is required on the server side.
-
Deserialization and Execution: The SharePoint server processes the incoming data and deserializes the untrusted payload without proper validation. The malicious object's deserialization logic executes, running the attacker's code in the context of the SharePoint application process.
-
Impact: Successful exploitation results in full compromise of the SharePoint server, with high impact to confidentiality, integrity, and availability. The attacker gains the ability to read sensitive data, modify content, and potentially disrupt service availability.
The low privilege requirement is particularly concerning in enterprise environments where many users hold site level permissions. This significantly broadens the pool of potential attackers, including compromised accounts, malicious insiders, or external attackers who have obtained any valid SharePoint credential.
Patch Information
Microsoft released official fixes on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory marks the remediation level as "Official Fix," confirming a complete vendor solution is available. Because SharePoint is a closed source product, no source code diff is publicly available; the fix is delivered through cumulative binary security updates.
Microsoft has explicitly stated that no mitigations or workarounds exist for this vulnerability. Applying the patches is the only supported remediation.
Applicable Updates
| SharePoint Edition | KB Article | Updated Build | Replaces | Package |
|---|---|---|---|---|
| Subscription Edition | KB5002863 | 16.0.19725.20280 | KB5002853 | uber-subscription-kb5002863-fullfile-x64-glb.exe |
| Server 2019 | KB5002870 | 16.0.10417.20128 | KB5002854 | sts2019-kb5002870-fullfile-x64-glb.exe |
| Enterprise Server 2016 | KB5002868 | 16.0.5552.1002 | KB5002861 | sts2016-kb5002868-fullfile-x64-glb.exe |
The same KB5002868 applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016, so organizations running either variant only need to install that single update.
SHA-256 Hashes
KB5002863: E2B144E8C5F7F85F147EA3B553E5D5487685741D96E7E5E1951F0EC9AAF4BF20
KB5002870: E845346170CC689E8602FA81822713AE6257DE1472B4EB62062C6CA238628B03
KB5002868: 56A8E176D8A30F4E307EE4AB405A9FA55BB306932C2A4CA09A57A74223910679
Distribution Channels
All three updates are available through Microsoft Update (automatic delivery), the Microsoft Update Catalog (standalone download), or the Microsoft Download Center (direct download links). A restart may be required after installation.
Prerequisites
If your SharePoint farm runs SharePoint Workflow Manager, you must first install KB5002799 (a November 2025 Workflow Manager update) before applying any of these May 2026 cumulative updates. Skipping this step could cause Workflow Manager compatibility issues after patching.
For the Subscription Edition, administrators must ensure the current release version is installed prior to applying the patch.
Affected Systems and Versions
The following SharePoint editions are confirmed vulnerable:
- Microsoft SharePoint Server Subscription Edition (versions prior to build 16.0.19725.20280)
- Microsoft SharePoint Server 2019 (versions prior to build 16.0.10417.20128)
- Microsoft SharePoint Enterprise Server 2016 (versions prior to build 16.0.5552.1002)
All three are rated "Important" severity by Microsoft with a "Remote Code Execution" impact classification.
Vendor Security History
SharePoint has a notable history as a target for sophisticated threat actors. Microsoft has documented that Chinese nation state groups, specifically Linen Typhoon and Violet Typhoon, have exploited SharePoint vulnerabilities to compromise internet facing servers. A threat actor tracked as Storm 2603 has also leveraged SharePoint flaws to deploy ransomware. Earlier in 2026, a critical SharePoint vulnerability patched in January was subsequently exploited in active attacks, prompting CISA to issue warnings.
As of the May 2026 disclosure, CVE-2026-33112 has not been observed in active exploitation and no public exploit code exists. However, the pattern of rapid weaponization of SharePoint vulnerabilities by advanced threat actors means organizations should not delay patching based on the current "Unproven" exploitability assessment.
References
- CVE-2026-33112: MSRC Security Update Guide
- CVE-2026-33112: NVD Entry
- KB5002863: Security Update for SharePoint Server Subscription Edition
- KB5002870: Security Update for SharePoint Server 2019
- KB5002868: Security Update for SharePoint Enterprise Server 2016
- Zero Day Initiative: The May 2026 Security Update Review
- BleepingComputer: Microsoft Patch Tuesday May 2026
- Microsoft Security Blog: Disrupting Active Exploitation of On Premises SharePoint Vulnerabilities
- BleepingComputer: Critical Microsoft SharePoint Flaw Now Exploited in Attacks
- Microsoft Download Center: KB5002868 for SharePoint Server 2016



