CVE-2026-33112 Overview
CVE-2026-33112 is a deserialization of untrusted data vulnerability [CWE-502] in Microsoft Office SharePoint Server. An authenticated attacker can send a crafted serialized payload over the network to trigger code execution in the SharePoint application context. The flaw affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 Enterprise. Microsoft published the advisory on May 12, 2026, and assigned a CVSS 3.1 base score of 8.8.
Critical Impact
An authorized attacker with low privileges can execute arbitrary code on the SharePoint server, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016 Enterprise
Discovery Timeline
- 2026-05-12 - Microsoft publishes security update advisory for CVE-2026-33112
- 2026-05-12 - CVE-2026-33112 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-33112
Vulnerability Analysis
The vulnerability resides in SharePoint Server's processing of serialized .NET objects submitted through authenticated user requests. SharePoint deserializes attacker-supplied data without sufficient type validation, allowing crafted gadget chains to invoke arbitrary methods during object reconstruction. Successful exploitation results in remote code execution under the w3wp.exe worker process running the SharePoint web application pool identity.
Microsoft classifies the attack vector as Network with low attack complexity. The attacker must hold a low-privilege authenticated SharePoint account, such as a standard site member, to reach the vulnerable code path. No user interaction is required. EPSS data from May 17, 2026, reflects moderate exploitation likelihood relative to other recently disclosed CVEs.
Root Cause
The root cause is insecure deserialization [CWE-502] of untrusted input within a SharePoint server-side component. The deserializer reconstructs object graphs from attacker-controlled streams without enforcing an allow-list of safe types. This pattern enables gadget chains present in the .NET framework or SharePoint assemblies to trigger code execution during deserialization callbacks such as OnDeserialization or property setters.
Attack Vector
An attacker authenticates to the target SharePoint site with any valid low-privilege account. The attacker sends an HTTP request containing a serialized payload to a vulnerable SharePoint endpoint. SharePoint deserializes the payload server-side and invokes the embedded gadget chain. The chain executes operating system commands or loads additional payloads with the privileges of the SharePoint application pool account.
No verified public proof-of-concept exploit is available at the time of publication. Refer to the Microsoft Security Update CVE-2026-33112 advisory for vendor-supplied technical context.
Detection Methods for CVE-2026-33112
Indicators of Compromise
- Unexpected child processes spawned by w3wp.exe hosting SharePoint application pools, such as cmd.exe, powershell.exe, or rundll32.exe
- New or modified files in SharePoint web directories under C:\inetpub\wwwroot\wss\VirtualDirectories\
- Authenticated HTTP POST requests to SharePoint endpoints containing base64-encoded serialized .NET payloads
- Outbound network connections from SharePoint servers to unfamiliar external hosts shortly after authenticated requests
Detection Strategies
- Monitor IIS logs for authenticated requests with abnormally large request bodies or __VIEWSTATE parameters to SharePoint handlers
- Inspect Windows Event Logs for .NET Runtime errors referencing BinaryFormatter, LosFormatter, or ObjectStateFormatter exceptions
- Alert on SharePoint application pool identities executing scripting interpreters or performing file writes outside expected directories
- Hunt for known ysoserial.net gadget signatures, including TypeConfuseDelegate and ActivitySurrogateSelector references, in request payloads
Monitoring Recommendations
- Enable detailed IIS request logging and forward to a centralized SIEM for correlation across SharePoint farm members
- Track process lineage from w3wp.exe and baseline expected child processes to surface anomalies
- Review SharePoint ULS logs for unhandled exceptions originating from deserialization code paths
How to Mitigate CVE-2026-33112
Immediate Actions Required
- Apply the May 2026 Microsoft security updates for SharePoint Server Subscription Edition, 2019, and 2016 as documented in the Microsoft Security Update CVE-2026-33112 advisory
- Inventory all SharePoint farms and confirm patch deployment across web front-end, application, and search servers
- Audit SharePoint user accounts and remove unused or stale low-privilege accounts that could be leveraged for authenticated exploitation
- Rotate SharePoint farm and service account credentials if compromise is suspected
Patch Information
Microsoft released security updates addressing CVE-2026-33112 on May 12, 2026. Administrators should install the cumulative updates for the affected SharePoint Server editions through Microsoft Update, WSUS, or the Microsoft Update Catalog. Verify patch installation by checking build numbers against the values listed in the vendor advisory.
Workarounds
- Enforce multi-factor authentication on all SharePoint accounts to reduce the risk of credential-based access to authenticated endpoints
- Restrict SharePoint access to trusted network segments using web application firewall rules or reverse proxy filters that inspect for serialized payload signatures
- Run SharePoint application pools under least-privilege service accounts to limit the impact of successful code execution
- Disable or restrict SharePoint features and web parts not in active use to reduce exposed deserialization surface
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
