ZeroPath at Black Hat USA 2026

Microsoft SharePoint CVE-2026-47294: Brief Summary of a Deserialization to OS Command Injection RCE

A brief summary of CVE-2026-47294, a high severity deserialization vulnerability in Microsoft SharePoint Server that enables OS command injection and remote code execution, affecting SharePoint 2016, 2019, and Subscription Edition.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-01

Microsoft SharePoint CVE-2026-47294: Brief Summary of a Deserialization to OS Command Injection RCE
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Microsoft SharePoint's on-premises server product line continues to be one of the most actively targeted enterprise attack surfaces in 2026, and CVE-2026-47294 adds another chapter to a pattern that has persisted for over a year. This deserialization vulnerability enables remote code execution through OS command injection, carrying a CVSS 3.1 base score of 8.0 (HIGH), and it affects all three supported on-premises SharePoint Server editions: Enterprise Server 2016, Server 2019, and Subscription Edition.

What makes this CVE particularly noteworthy is not just the vulnerability itself, but its context. It arrives after at least nine other SharePoint deserialization RCE vulnerabilities disclosed between July 2025 and May 2026, several of which were confirmed exploited in the wild and added to the CISA Known Exploited Vulnerabilities catalog. The CWE classification for this one also diverges from the pattern, suggesting a distinct exploitation path worth examining.

Technical Information

Root Cause: Deserialization Leading to OS Command Injection

CVE-2026-47294 is described as a "deserialization of untrusted data" vulnerability in Microsoft Office SharePoint that allows an authorized attacker to execute code over a network. The flaw arises when SharePoint deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

The interesting technical detail here is the CWE classification. While the description references deserialization (which would typically map to CWE-502, Deserialization of Untrusted Data), the assigned CWE is CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). This is a departure from the six SharePoint RCE CVEs disclosed in May 2026 (CVE-2026-33110, CVE-2026-33112, CVE-2026-35439, CVE-2026-40357, CVE-2026-40365, CVE-2026-40403), all of which were classified under CWE-502. The January 2026 CVE-2026-20963 was also CWE-502.

According to MITRE's definition, CWE-78 occurs when software constructs all or part of an OS command using externally influenced input but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command. This enables attackers to execute unauthorized operating system commands, which could be used to disable the product, or read and modify data for which the attacker does not have authorization.

The dual classification implies a two-stage exploitation chain: untrusted data is deserialized by SharePoint, and during or after deserialization, special elements in the data are not properly neutralized, ultimately enabling OS command injection through the deserialized payload. This means the deserialization boundary is crossed first, and the resulting objects or data flow into a code path that constructs OS commands without adequate sanitization.

CVSS v3.1 Vector Analysis

The full CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, yielding a base score of 8.0.

MetricValueMeaning
Attack VectorNetworkExploitable remotely
Attack ComplexityLowNo specialized conditions required
Privileges RequiredLowAttacker needs basic authorized access
User InteractionRequiredVictim must take some action
ScopeUnchangedImpact limited to the vulnerable component
ConfidentialityHighTotal information disclosure possible
IntegrityHighTotal system integrity compromise possible
AvailabilityHighTotal system availability loss possible

The temporal metrics are also informative: Exploit Code Maturity is Unproven (E:U), Remediation Level is Official Fix (RL:O), and Report Confidence is Confirmed (RC:C). The vendor has confirmed the vulnerability and released a fix, but no public exploit code exists yet.

The user interaction requirement (UI:R) is the primary factor that separates this CVE's 8.0 score from the 8.8 scores of the May 2026 SharePoint CVEs, which did not require user interaction (UI:N). In practice, user interaction in SharePoint contexts (opening a document, navigating to a page, clicking a link) is often trivially achievable through social engineering or normal business workflows, so the practical severity gap may be narrower than the score difference suggests.

Attack Flow

Based on the CVSS vector, CWE classification, and vulnerability description, the likely exploitation chain follows this sequence:

  1. Authentication: The attacker obtains or already possesses low-level authorized access to the SharePoint environment (PR:L). This could be any authenticated user account.

  2. Payload Crafting: The attacker constructs malicious serialized data containing special elements designed to trigger OS command injection when deserialized.

  3. Delivery: The payload is delivered through a SharePoint feature that processes serialized data. The user interaction requirement (UI:R) suggests the payload is delivered via a mechanism such as a document upload, web part interaction, or similar SharePoint feature where another user (or the system acting on behalf of a user) must interact with the malicious content.

  4. Deserialization: SharePoint processes the untrusted serialized data without adequate validation. The deserialized content flows into a code path that constructs OS commands.

  5. Command Injection: Special elements within the deserialized data are not neutralized, allowing the attacker to inject arbitrary OS commands.

  6. Execution: The injected commands execute with the privileges of the SharePoint application pool identity, typically yielding high impact across confidentiality, integrity, and availability of the server.

Microsoft has consistently stated that on-premises SharePoint deserialization vulnerabilities do not affect SharePoint Online in Microsoft 365. Only on-premises deployments of SharePoint Server are at risk.

Why CWE-78 Matters for Defenders

The CWE-78 classification has practical implications for detection and defense. Organizations that have built detection rules focused on CWE-502 style deserialization attacks (monitoring for suspicious .NET deserialization patterns, gadget chain indicators, or known deserialization sinks) may not catch an attack that ultimately manifests as OS command injection. Defenders should also monitor for:

  • Unexpected process creation from SharePoint application pool worker processes (w3wp.exe)
  • OS command execution artifacts such as cmd.exe or powershell.exe spawned by IIS worker processes
  • Anomalous command line arguments in processes spawned within the SharePoint application context

These are general indicators consistent with CWE-78 exploitation in a web application context, not specific detection signatures for this CVE.

Affected Systems and Versions

Three Microsoft SharePoint Server product lines are affected:

ProductVulnerable Version RangeFixed Version
Microsoft SharePoint Enterprise Server 2016 (x64)16.0.0 through 16.0.5552.100116.0.5552.1002
Microsoft SharePoint Server 2019 (x64)16.0.0 through 16.0.10417.2012716.0.10417.20128
Microsoft SharePoint Server Subscription Edition (x64)16.0.0 through 16.0.19725.2027916.0.19725.20280

SharePoint Online (Microsoft 365) is not affected. However, hybrid deployments that include on-premises SharePoint Server components remain exposed on those on-premises servers.

The publication date of June 1, 2026 falls after the May 13, 2026 Patch Tuesday cycle, which may indicate this was an out-of-band or late-cycle addition. Specific KB article numbers for the CVE-2026-47294 security update have not been independently confirmed beyond the MSRC advisory reference.

Vendor Security History

Microsoft SharePoint Server's security track record over the past year paints a clear picture of a product under sustained pressure from deserialization and RCE vulnerabilities:

TimeframeCVE(s)CVSSCWEExploited in Wild
July 2025CVE-2025-53770, CVE-2025-53771CriticalDeserializationYes, confirmed by Microsoft
January 2026CVE-2026-209639.8CWE-502Yes, added to CISA KEV
April 2026CVE-2026-32201Not specifiedAuth BypassUnder investigation
May 2026CVE-2026-33110, 33112, 35439, 40357, 40365, 404038.8 (all six)CWE-502Not confirmed
June 2026CVE-2026-472948.0CWE-78Not confirmed (E:U)

The July 2025 exploitation was significant enough that Microsoft published a dedicated blog post detailing its efforts to disrupt active exploitation of on-premises SharePoint vulnerabilities. Akamai's research found that over 20% of observed environments were exposed to SharePoint vulnerabilities during that period.

CVE-2026-20963 was particularly impactful: a CVSS 9.8 unauthenticated RCE that was confirmed exploited in the wild and added to the CISA Known Exploited Vulnerabilities catalog on March 18, 2026. CERT-EU and the Canadian Centre for Cyber Security both issued advisories for that vulnerability.

The accumulation of six RCE vulnerabilities in SharePoint Server in May 2026 alone, all rated 8.8, was described by security analysts as particularly challenging for on-premises SharePoint administrators. CVE-2026-47294 extends this pattern into June.

The recurring nature of deserialization flaws in SharePoint Server suggests a structural weakness in the on-premises product's handling of serialized data that has not been fully remediated at the architectural level. Organizations should plan for continued SharePoint RCE disclosures and consider architectural mitigations such as network segmentation, WAF deployment, and migration to SharePoint Online where feasible as longer term strategies rather than relying solely on per-CVE patching.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization