ZeroPath at Black Hat USA 2026

Brief Summary: Microsoft SharePoint Server RCE via Deserialization (CVE-2026-40357)

A short review of CVE-2026-40357, a high severity deserialization vulnerability in Microsoft SharePoint Server that enables authenticated remote code execution. Includes patch details for all affected SharePoint editions.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: Microsoft SharePoint Server RCE via Deserialization (CVE-2026-40357)
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Microsoft's May 2026 Patch Tuesday addressed 120 flaws, and buried within that batch are six separate remote code execution vulnerabilities targeting SharePoint Server, all scored at CVSS 8.8. CVE-2026-40357 is one of two in that group that exploits insecure deserialization, allowing any authenticated user with basic Site Member permissions to execute arbitrary code on the server over the network.

For organizations running on premises SharePoint, this is a meaningful risk: the attack complexity is low, no user interaction is required, and the privilege bar is minimal. The combination of these factors with high impact across confidentiality, integrity, and availability makes this vulnerability worth understanding and patching promptly.

Technical Information

Root Cause: CWE-502 Deserialization of Untrusted Data

CVE-2026-40357 is classified under CWE-502, Deserialization of Untrusted Data. The core issue lies in how Microsoft Office SharePoint processes serialized data received from network requests. When SharePoint deserializes data without adequate validation or sanitization, an attacker can craft a malicious serialized payload that, upon deserialization, triggers arbitrary code execution on the server.

The vulnerable component is bound to the network stack, meaning exploitation does not require local access or adjacency to the target. It is remotely exploitable across one or more network hops.

CVSS Breakdown

The full CVSS 3.1 vector string is:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Breaking this down:

MetricValueMeaning
Attack VectorNetworkExploitable remotely
Attack ComplexityLowRepeatable success without specialized conditions
Privileges RequiredLowSite Member permissions are sufficient
User InteractionNoneNo victim action needed
ScopeUnchangedImpact confined to the vulnerable component
ConfidentialityHighFull read access to server data
IntegrityHighAbility to modify server data
AvailabilityHighAbility to disrupt server operations

Attack Flow

Based on the advisory details, the exploitation path follows this general sequence:

  1. Authentication: The attacker obtains or already possesses valid credentials for the SharePoint environment. The minimum required privilege level is Site Member, which is a common, low tier role in most SharePoint deployments.

  2. Payload Construction: The attacker crafts a malicious serialized object designed to execute arbitrary commands upon deserialization. The specific serialization format and endpoint are not publicly documented, but the CWE-502 classification confirms the deserialization pathway.

  3. Network Delivery: The attacker sends the crafted payload to the vulnerable SharePoint Server endpoint over the network. No special network positioning or timing conditions are required (Attack Complexity: Low).

  4. Deserialization and Execution: The SharePoint Server processes the incoming request and deserializes the attacker controlled data without sufficient validation. This triggers the execution of the embedded malicious code on the server, with the impact spanning full compromise of confidentiality, integrity, and availability.

Broader Context: A Cluster of SharePoint Deserialization Flaws

CVE-2026-40357 does not exist in isolation. The May 2026 patch cycle addressed six SharePoint RCE vulnerabilities, all with a CVSS score of 8.8:

CVECVSS ScoreVulnerability Type
CVE-2026-331108.8Remote Code Execution
CVE-2026-331128.8Remote Code Execution
CVE-2026-354398.8Remote Code Execution (Deserialization)
CVE-2026-403578.8Remote Code Execution (Deserialization)
CVE-2026-403658.8Remote Code Execution
CVE-2026-404038.8Remote Code Execution

The presence of two deserialization flaws (CVE-2026-35439 and CVE-2026-40357) in the same patch cycle suggests a systemic pattern in how SharePoint handles serialized data, rather than an isolated coding error.

Patch Information

Microsoft released official patches for CVE-2026-40357 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The fix addresses how SharePoint handles deserialized data from untrusted sources, hardening the server side processing pipeline against malicious payloads.

Three separate security updates were published, each targeting a different supported SharePoint Server edition:

ProductKB ArticleBuild NumberReplaces
SharePoint Server Subscription EditionKB500286316.0.19725.20280KB5002853
SharePoint Server 2019KB500287016.0.10417.20128KB5002854
SharePoint Enterprise Server 2016KB5002868

Each KB package is cumulative. The Subscription Edition update (KB5002863) also addresses CVE-2026-33112, CVE-2026-33110, CVE-2026-40368, and CVE-2026-35439. The SharePoint Server 2019 update (KB5002870) covers additional CVEs including CVE-2026-40367 and CVE-2026-40365. Administrators should treat these as comprehensive rollups rather than single vulnerability patches.

Installation Methods

Microsoft provides three installation methods for each update:

  1. Microsoft Update: Automatic delivery when auto update is enabled.
  2. Microsoft Update Catalog: Standalone packages available for manual download (e.g., catalog entry for KB5002863).
  3. Microsoft Download Center: Direct download links such as KB5002863 for Subscription Edition and KB5002870 for SharePoint 2019.

Prerequisites and Caveats

One important prerequisite applies: if the environment runs SharePoint Workflow Manager, administrators must first install KB5002799 (the November 2025 Workflow Manager update) before applying any of these May 2026 cumulative updates. Failing to do so could break workflow functionality.

Environments still running the Classic version of Workflow Manager must enable a debug flag via PowerShell and run iisreset to maintain compatibility:

$farm.ServerDebugFlags.Add(53601) iisreset

Integrity Verification

The SHA-256 hash for the Subscription Edition package is:

E2B144E8C5F7F85F147EA3B553E5D5487685741D96E7E5E1951F0EC9AAF4BF20

This can be used to verify download integrity before deployment.

There are no alternative workarounds listed for this vulnerability. Applying the official patches is the only endorsed remediation path.

Affected Systems and Versions

The following on premises SharePoint Server editions are confirmed vulnerable:

ProductTarget Build After Patching
Microsoft SharePoint Server Subscription Edition16.0.19725.20280
Microsoft SharePoint Server 201916.0.10417.20128
Microsoft SharePoint Enterprise Server 201616.0.5552.1002

Any installation running a build number below the listed target is vulnerable and requires the corresponding KB update. The advisories focus exclusively on on premises server editions; specific details on whether SharePoint Online environments required backend patching by Microsoft are not documented in the available materials.

Vendor Security History

SharePoint Server accumulated six different Remote Code Execution vulnerabilities in the May 2026 patch cycle alone, all carrying an identical CVSS score of 8.8. Two of these six specifically involve deserialization of untrusted data (CVE-2026-40357 and CVE-2026-35439), indicating a concentrated area of weakness in SharePoint's serialization handling. This pattern suggests that security researchers and Microsoft's internal teams are actively auditing this attack surface, and organizations should expect continued attention to deserialization related flaws in future patch cycles.

The May 2026 Patch Tuesday addressed 120 flaws total across Microsoft's product portfolio, with no zero days reported. While the current exploitability assessment for CVE-2026-40357 is "Exploitation Less Likely," the concentration of similar vulnerabilities in a single release increases the likelihood that threat actors will reverse engineer the patches to identify exploitable code paths.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization