ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-33112 — Deserialization RCE in Microsoft SharePoint Server

A short review of CVE-2026-33112, a deserialization vulnerability in Microsoft SharePoint Server that allows authenticated users with low privileges to achieve remote code execution. Includes patch details for all affected SharePoint editions.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: CVE-2026-33112 — Deserialization RCE in Microsoft SharePoint Server
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A deserialization flaw in Microsoft SharePoint Server, patched in the May 2026 Patch Tuesday cycle, allows any authenticated user with basic site privileges to execute arbitrary code remotely on the server. With a CVSS 3.1 base score of 8.8, low attack complexity, and no available workarounds, CVE-2026-33112 represents a serious risk for the hundreds of thousands of organizations running on premises SharePoint deployments.

Technical Information

CVE-2026-33112 is caused by the deserialization of untrusted data within Microsoft SharePoint Server, categorized under CWE-502 (Deserialization of Untrusted Data). The full CVSS 3.1 vector string is:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Breaking this down: the attack vector is network based, attack complexity is low, privileges required are low (no administrative access needed), no user interaction is required, and the impact is high across all three pillars of confidentiality, integrity, and availability. The scope is unchanged, meaning the vulnerability's impact is confined to the vulnerable component's security authority, though in practice that component is the SharePoint server itself.

Root Cause

The core issue is that SharePoint accepts serialized data from authenticated users and deserializes it without adequate validation. When an application deserializes untrusted input, an attacker can craft a malicious serialized object that, upon deserialization, triggers unintended operations including arbitrary code execution. This is a well understood vulnerability class in .NET environments, and SharePoint's server side processing of user supplied serialized data creates a direct path to code execution.

Attack Flow

Based on the available advisory details and analysis from the Zero Day Initiative, the exploitation path works as follows:

  1. Authentication: The attacker authenticates to the target SharePoint server. Only low level privileges are required. As the Zero Day Initiative notes, anyone with site privileges possesses the necessary authentication to exploit this flaw. A Site Owner role is sufficient.

  2. Payload Construction: The attacker crafts a malicious serialized object designed to execute arbitrary commands when deserialized by the SharePoint server.

  3. Delivery: The attacker submits the crafted payload to the vulnerable SharePoint endpoint over the network. No user interaction is required on the server side.

  4. Deserialization and Execution: The SharePoint server processes the incoming data and deserializes the untrusted payload without proper validation. The malicious object's deserialization logic executes, running the attacker's code in the context of the SharePoint application process.

  5. Impact: Successful exploitation results in full compromise of the SharePoint server, with high impact to confidentiality, integrity, and availability. The attacker gains the ability to read sensitive data, modify content, and potentially disrupt service availability.

The low privilege requirement is particularly concerning in enterprise environments where many users hold site level permissions. This significantly broadens the pool of potential attackers, including compromised accounts, malicious insiders, or external attackers who have obtained any valid SharePoint credential.

Patch Information

Microsoft released official fixes on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory marks the remediation level as "Official Fix," confirming a complete vendor solution is available. Because SharePoint is a closed source product, no source code diff is publicly available; the fix is delivered through cumulative binary security updates.

Microsoft has explicitly stated that no mitigations or workarounds exist for this vulnerability. Applying the patches is the only supported remediation.

Applicable Updates

SharePoint EditionKB ArticleUpdated BuildReplacesPackage
Subscription EditionKB500286316.0.19725.20280KB5002853uber-subscription-kb5002863-fullfile-x64-glb.exe
Server 2019KB500287016.0.10417.20128KB5002854sts2019-kb5002870-fullfile-x64-glb.exe
Enterprise Server 2016KB500286816.0.5552.1002KB5002861sts2016-kb5002868-fullfile-x64-glb.exe

The same KB5002868 applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016, so organizations running either variant only need to install that single update.

SHA-256 Hashes

KB5002863: E2B144E8C5F7F85F147EA3B553E5D5487685741D96E7E5E1951F0EC9AAF4BF20
KB5002870: E845346170CC689E8602FA81822713AE6257DE1472B4EB62062C6CA238628B03
KB5002868: 56A8E176D8A30F4E307EE4AB405A9FA55BB306932C2A4CA09A57A74223910679

Distribution Channels

All three updates are available through Microsoft Update (automatic delivery), the Microsoft Update Catalog (standalone download), or the Microsoft Download Center (direct download links). A restart may be required after installation.

Prerequisites

If your SharePoint farm runs SharePoint Workflow Manager, you must first install KB5002799 (a November 2025 Workflow Manager update) before applying any of these May 2026 cumulative updates. Skipping this step could cause Workflow Manager compatibility issues after patching.

For the Subscription Edition, administrators must ensure the current release version is installed prior to applying the patch.

Affected Systems and Versions

The following SharePoint editions are confirmed vulnerable:

  • Microsoft SharePoint Server Subscription Edition (versions prior to build 16.0.19725.20280)
  • Microsoft SharePoint Server 2019 (versions prior to build 16.0.10417.20128)
  • Microsoft SharePoint Enterprise Server 2016 (versions prior to build 16.0.5552.1002)

All three are rated "Important" severity by Microsoft with a "Remote Code Execution" impact classification.

Vendor Security History

SharePoint has a notable history as a target for sophisticated threat actors. Microsoft has documented that Chinese nation state groups, specifically Linen Typhoon and Violet Typhoon, have exploited SharePoint vulnerabilities to compromise internet facing servers. A threat actor tracked as Storm 2603 has also leveraged SharePoint flaws to deploy ransomware. Earlier in 2026, a critical SharePoint vulnerability patched in January was subsequently exploited in active attacks, prompting CISA to issue warnings.

As of the May 2026 disclosure, CVE-2026-33112 has not been observed in active exploitation and no public exploit code exists. However, the pattern of rapid weaponization of SharePoint vulnerabilities by advanced threat actors means organizations should not delay patching based on the current "Unproven" exploitability assessment.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization