https://feed.craftedsignal.io/products/office-sharepoint/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 18:43:35 +0000https://feed.craftedsignal.io/briefs/2026-05-sharepoint-deserialization/Tue, 12 May 2026 18:43:35 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-sharepoint-deserialization/CVE-2026-40368 is a deserialization of untrusted data vulnerability in Microsoft Office SharePoint, allowing an authorized attacker to execute code over a network.CVE-2026-40368 describes a deserialization vulnerability affecting Microsoft Office SharePoint. This vulnerability allows an authorized attacker to execute arbitrary code over a network by deserializing untrusted data. The vulnerability stems from how SharePoint handles incoming data streams, potentially allowing malicious code to be injected during the deserialization process. Successful exploitation could lead to complete system compromise. Defenders should prioritize patching vulnerable SharePoint instances to mitigate this risk.

Attack Chain

1. Attacker authenticates to a SharePoint instance with valid credentials.
2. The attacker crafts a malicious payload containing serialized data designed to exploit the deserialization vulnerability.
3. The attacker injects the malicious payload into a SharePoint component that processes serialized data, such as a web part or workflow.
4. SharePoint attempts to deserialize the untrusted data without proper validation.
5. The deserialization process executes the attacker’s injected code.
6. The attacker gains arbitrary code execution within the context of the SharePoint application pool account.
7. The attacker can then escalate privileges, move laterally within the network, and compromise other systems.

Impact

Successful exploitation of CVE-2026-40368 allows an attacker to execute arbitrary code on the affected Microsoft Office SharePoint server. The vulnerability has a CVSS v3.1 score of 8.0, indicating a high severity. This could lead to unauthorized access to sensitive data, modification of SharePoint content, or complete compromise of the server and potentially the entire network.

Recommendation

• Apply the security update provided by Microsoft to patch CVE-2026-40368 on all affected SharePoint servers (reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40368).
• Monitor SharePoint logs for suspicious activity related to deserialization processes, looking for unusual patterns or error messages.
• Implement strict input validation and sanitization measures to prevent the injection of malicious serialized data.

]]>highadvisorydeserializationcode-executionsharepointhttps://feed.craftedsignal.io/briefs/2026-05-sharepoint-rce/Tue, 12 May 2026 18:35:52 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-sharepoint-rce/CVE-2026-40365 is a vulnerability in Microsoft Office SharePoint that allows an authorized attacker to execute code over a network due to insufficient granularity of access control.CVE-2026-40365 describes a vulnerability in Microsoft Office SharePoint that stems from insufficient granularity of access control. This flaw allows an authorized attacker to execute arbitrary code remotely over a network. Given the widespread use of SharePoint in enterprise environments, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to sensitive data, modification of critical systems, or disruption of business operations. Defenders should prioritize patching and consider implementing additional security measures to mitigate this threat.

Attack Chain

1. Attacker authenticates to a SharePoint instance with compromised or legitimate credentials.
2. Attacker leverages their authorized access to target specific SharePoint components with insufficient access controls.
3. Attacker crafts a malicious request to exploit the insufficient access control vulnerability.
4. The malicious request bypasses intended security checks due to the granularity issue.
5. The vulnerable SharePoint component processes the malicious request, leading to code execution.
6. Attacker executes arbitrary code within the context of the SharePoint server.
7. Attacker establishes persistence through techniques like creating scheduled tasks or modifying system files.
8. Attacker pivots to other systems on the network to achieve broader objectives, such as data exfiltration or lateral movement.

Impact

Successful exploitation of CVE-2026-40365 allows a remote attacker to execute arbitrary code on a vulnerable Microsoft Office SharePoint server. The impact includes potential compromise of sensitive data, disruption of services, and further exploitation of the internal network. Due to the insufficient granularity of access controls, an attacker with relatively low privileges could gain elevated privileges, leading to a full system compromise.

Recommendation

• Apply the security update provided by Microsoft to patch CVE-2026-40365 as soon as possible (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40365).
• Monitor SharePoint servers for suspicious activity, such as unauthorized code execution or unexpected network connections.
• Implement the Sigma rule provided to detect potential exploitation attempts.

]]>highadvisorycvesharepointrcehttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-33110-sharepoint-deserialization/Tue, 12 May 2026 18:18:43 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-33110-sharepoint-deserialization/CVE-2026-33110 is a deserialization of untrusted data vulnerability in Microsoft Office SharePoint, allowing an authorized attacker to achieve remote code execution over a network.CVE-2026-33110 is a critical vulnerability affecting Microsoft Office SharePoint. The vulnerability stems from the deserialization of untrusted data, which can be exploited by an authorized attacker to achieve remote code execution (RCE) on the affected system. Successful exploitation of this vulnerability allows an attacker to execute arbitrary code within the context of the SharePoint application, potentially leading to complete system compromise. The vulnerability was published on 2026-05-12 and requires an attacker to be authenticated, but requires no user interaction. This RCE vulnerability can allow attackers to pivot to other systems and gain access to sensitive data within the organization.

Attack Chain

1. An authorized attacker gains initial access to the SharePoint environment via valid credentials.
2. The attacker crafts a malicious payload containing serialized data designed to exploit the deserialization vulnerability (CVE-2026-33110).
3. The attacker injects the malicious payload into a SharePoint component that processes serialized data.
4. When SharePoint processes the crafted input, it attempts to deserialize the data.
5. The deserialization process triggers the execution of arbitrary code embedded within the malicious payload.
6. The attacker’s code executes with the privileges of the SharePoint application pool.
7. The attacker leverages the code execution to install a webshell for persistent access or perform lateral movement.
8. The attacker uses the compromised SharePoint server as a pivot point to access other systems on the network and exfiltrate sensitive information.

Impact

Successful exploitation of CVE-2026-33110 can lead to complete compromise of the SharePoint server, potentially impacting all sites and data hosted on the platform. An attacker could gain access to sensitive documents, modify content, or disrupt services for all users. Due to the central role SharePoint often plays in document management and collaboration, this vulnerability represents a significant risk to data confidentiality, integrity, and availability within an organization. The vulnerability could also be used as a stepping stone to compromise other systems within the network, leading to a widespread security breach.

Recommendation

• Apply the security update released by Microsoft to address CVE-2026-33110 on all affected SharePoint servers immediately. Refer to the Microsoft Security Response Center (MSRC) advisory for specific patching instructions: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33110.
• Deploy the Sigma rule “Detect SharePoint Suspicious Deserialization Attempt” to identify potential exploitation attempts based on unusual process execution.
• Monitor SharePoint logs for suspicious activity related to deserialization processes as an additional layer of defense.

]]>highadvisorycvedeserializationrcesharepoint