{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/office-sharepoint/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-40368"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office SharePoint"],"_cs_severities":["high"],"_cs_tags":["deserialization","code-execution","sharepoint"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40368 describes a deserialization vulnerability affecting Microsoft Office SharePoint. This vulnerability allows an authorized attacker to execute arbitrary code over a network by deserializing untrusted data. The vulnerability stems from how SharePoint handles incoming data streams, potentially allowing malicious code to be injected during the deserialization process. Successful exploitation could lead to complete system compromise. Defenders should prioritize patching vulnerable SharePoint instances to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to a SharePoint instance with valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing serialized data designed to exploit the deserialization vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into a SharePoint component that processes serialized data, such as a web part or workflow.\u003c/li\u003e\n\u003cli\u003eSharePoint attempts to deserialize the untrusted data without proper validation.\u003c/li\u003e\n\u003cli\u003eThe deserialization process executes the attacker\u0026rsquo;s injected code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution within the context of the SharePoint application pool account.\u003c/li\u003e\n\u003cli\u003eThe attacker can then escalate privileges, move laterally within the network, and compromise other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40368 allows an attacker to execute arbitrary code on the affected Microsoft Office SharePoint server. The vulnerability has a CVSS v3.1 score of 8.0, indicating a high severity. This could lead to unauthorized access to sensitive data, modification of SharePoint content, or complete compromise of the server and potentially the entire network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-40368 on all affected SharePoint servers (reference: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40368)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40368)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor SharePoint logs for suspicious activity related to deserialization processes, looking for unusual patterns or error messages.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization measures to prevent the injection of malicious serialized data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:43:35Z","date_published":"2026-05-12T18:43:35Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sharepoint-deserialization/","summary":"CVE-2026-40368 is a deserialization of untrusted data vulnerability in Microsoft Office SharePoint, allowing an authorized attacker to execute code over a network.","title":"CVE-2026-40368 - Microsoft Office SharePoint Deserialization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-sharepoint-deserialization/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-40365"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office SharePoint"],"_cs_severities":["high"],"_cs_tags":["cve","sharepoint","rce"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40365 describes a vulnerability in Microsoft Office SharePoint that stems from insufficient granularity of access control. This flaw allows an authorized attacker to execute arbitrary code remotely over a network. Given the widespread use of SharePoint in enterprise environments, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to sensitive data, modification of critical systems, or disruption of business operations. Defenders should prioritize patching and consider implementing additional security measures to mitigate this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to a SharePoint instance with compromised or legitimate credentials.\u003c/li\u003e\n\u003cli\u003eAttacker leverages their authorized access to target specific SharePoint components with insufficient access controls.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious request to exploit the insufficient access control vulnerability.\u003c/li\u003e\n\u003cli\u003eThe malicious request bypasses intended security checks due to the granularity issue.\u003c/li\u003e\n\u003cli\u003eThe vulnerable SharePoint component processes the malicious request, leading to code execution.\u003c/li\u003e\n\u003cli\u003eAttacker executes arbitrary code within the context of the SharePoint server.\u003c/li\u003e\n\u003cli\u003eAttacker establishes persistence through techniques like creating scheduled tasks or modifying system files.\u003c/li\u003e\n\u003cli\u003eAttacker pivots to other systems on the network to achieve broader objectives, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40365 allows a remote attacker to execute arbitrary code on a vulnerable Microsoft Office SharePoint server. The impact includes potential compromise of sensitive data, disruption of services, and further exploitation of the internal network. Due to the insufficient granularity of access controls, an attacker with relatively low privileges could gain elevated privileges, leading to a full system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-40365 as soon as possible (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40365)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40365)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor SharePoint servers for suspicious activity, such as unauthorized code execution or unexpected network connections.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:35:52Z","date_published":"2026-05-12T18:35:52Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sharepoint-rce/","summary":"CVE-2026-40365 is a vulnerability in Microsoft Office SharePoint that allows an authorized attacker to execute code over a network due to insufficient granularity of access control.","title":"CVE-2026-40365: Microsoft Office SharePoint Insufficient Access Control RCE","url":"https://feed.craftedsignal.io/briefs/2026-05-sharepoint-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-33110"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office SharePoint"],"_cs_severities":["high"],"_cs_tags":["cve","deserialization","rce","sharepoint"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-33110 is a critical vulnerability affecting Microsoft Office SharePoint. The vulnerability stems from the deserialization of untrusted data, which can be exploited by an authorized attacker to achieve remote code execution (RCE) on the affected system. Successful exploitation of this vulnerability allows an attacker to execute arbitrary code within the context of the SharePoint application, potentially leading to complete system compromise. The vulnerability was published on 2026-05-12 and requires an attacker to be authenticated, but requires no user interaction. This RCE vulnerability can allow attackers to pivot to other systems and gain access to sensitive data within the organization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authorized attacker gains initial access to the SharePoint environment via valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing serialized data designed to exploit the deserialization vulnerability (CVE-2026-33110).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into a SharePoint component that processes serialized data.\u003c/li\u003e\n\u003cli\u003eWhen SharePoint processes the crafted input, it attempts to deserialize the data.\u003c/li\u003e\n\u003cli\u003eThe deserialization process triggers the execution of arbitrary code embedded within the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the privileges of the SharePoint application pool.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to install a webshell for persistent access or perform lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised SharePoint server as a pivot point to access other systems on the network and exfiltrate sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33110 can lead to complete compromise of the SharePoint server, potentially impacting all sites and data hosted on the platform. An attacker could gain access to sensitive documents, modify content, or disrupt services for all users. Due to the central role SharePoint often plays in document management and collaboration, this vulnerability represents a significant risk to data confidentiality, integrity, and availability within an organization. The vulnerability could also be used as a stepping stone to compromise other systems within the network, leading to a widespread security breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to address CVE-2026-33110 on all affected SharePoint servers immediately. Refer to the Microsoft Security Response Center (MSRC) advisory for specific patching instructions: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33110\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33110\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SharePoint Suspicious Deserialization Attempt\u0026rdquo; to identify potential exploitation attempts based on unusual process execution.\u003c/li\u003e\n\u003cli\u003eMonitor SharePoint logs for suspicious activity related to deserialization processes as an additional layer of defense.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:18:43Z","date_published":"2026-05-12T18:18:43Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-33110-sharepoint-deserialization/","summary":"CVE-2026-33110 is a deserialization of untrusted data vulnerability in Microsoft Office SharePoint, allowing an authorized attacker to achieve remote code execution over a network.","title":"CVE-2026-33110 - Microsoft SharePoint Deserialization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-33110-sharepoint-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed — Office SharePoint","version":"https://jsonfeed.org/version/1.1"}