Latest SharePoint Server vulnerability: CVE-2026-55040 #
Rapid7 disclosed that certain versions of SharePoint Server are affected by an authentication bypass vulnerability stemming from weaknesses in how it validates JSON Web Tokens (JWTs). A remote, unauthenticated attacker who knows or enumerates a target user's Active Directory Security ID (SID) or User Principal Name (UPN) can leverage this flaw to bypass authentication checks. Successful exploitation grants the attacker unauthorized access, allowing them to perform actions, disclose files, and modify data under the identity of the impersonated user, including administrators. The vulnerability has been designated CVE-2026-55040 and has been rated critical with a CVSS score of 9.1.
Vulnerability researchers disclosed that this is the first link in a high-impact, two-vulnerability exploit chain originally developed for the Pwn2Own Berlin hacking competition. The second vulnerability, yet to be publicly disclosed, is a remote code execution (RCE) flaw. Microsoft plans to patch the RCE vulnerability during its August 2026 security update cycle. Applying the July 2026 patch for CVE-2026-55040 is critical, as it successfully disrupts this exploit chain and prevents unauthenticated RCE.
The following versions are affected
- SharePoint Enterprise Server 2016: Versions prior to 16.0.5561.1001
- SharePoint Server 2019: Versions prior to 16.0.10417.20175
- SharePoint Server Subscription Edition: Versions prior to 16.0.19725.20434
What is Microsoft SharePoint? #
Microsoft SharePoint is a web-based collaboration and document management platform, available both within Microsoft 365 and as on-premises software, that serves as a secure, centralized hub for storing, organizing, and sharing information across devices.
What is the impact? #
Successful exploitation of this vulnerability allows an unauthenticated attacker to bypass security checks, impersonate valid users, and gain unauthorized access to disclose or modify sensitive data on the SharePoint server.
Are any updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- SharePoint Enterprise Server 2016: Upgrade to version 16.0.5561.1001 or later.
- SharePoint Server 2019: Upgrade to version 16.0.10417.20175 or later.
- SharePoint Server Subscription Edition: Upgrade to version 16.0.19725.20434 or later.
How do I find Microsoft SharePoint Server installations with runZero? #
From the Software Inventory, use the following query to locate potentially impacted assets:
vendor:=Microsoft AND version:>0 AND (
(product:="SharePoint Server 2016" AND (version:>=16.0.4107.1002 AND version:<16.0.5561.1001)) OR
(product:="SharePoint Server 2019" AND (version:>=16.0.10337.12109 AND version:<16.0.10417.20175)) OR
(product:="SharePoint Server Subscription Edition" AND (version:>=16.0.0.1 AND version:<16.0.19725.20434))
)
March 2026: CVE-2026-20963 #
On January 13, 2026, Microsoft disclosed a remote code execution vulnerability, designated CVE-2026-20963, in Microsoft SharePoint. The vulnerability is due to deserialization of untrusted data in Microsoft SharePoint which allows a remote, unauthenticated attacker attacker to execute code over a network.
While initially released with a CVSS score of 8.8, the score was updated to 9.8 on March 17, 2026.
This vulnerability is known to be exploited in the wild and was added to the CISA.gov Known Exploited Vulnerabilities (KEV) list on March 18, 2026.
The following versions are affected:
- SharePoint Enterprise Server 2016 before version 16.0.5535.1001
- SharePoint Server 2019 before version 16.0.10417.20083
- SharePoint Server Subscription Edition before version 16.0.19127.20442
What is the impact? #
Successful exploitation of this vulnerability would allow a remote, unauthenticated attacker to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Are any updates or workarounds available? #
Upgrade affected versions of SharePoint Server to the latest patched version.
SharePoint Enterprise Server 2016 version 16.0.5535.1001 or later
SharePoint Server 2019 version 16.0.10417.20083 or later
SharePoint Server Subscription Edition version 16.0.19127.20442 or later
How do I find Microsoft SharePoint Server installations with runZero? #
From the Software Inventory, use the following query to locate potentially impacted assets:
vendor:=Microsoft AND (
(product:="SharePoint Server 2016" AND (version:>=16.0 AND version:<16.0.5535.1001)) OR
(product:="SharePoint Server 2019" AND (version:>=16.0 AND version:<16.0.10417.20083)) OR
(product:="SharePoint Server Subscription Edition" AND (version:>=16.0 AND version:<16.0.19127.20442))
) AND NOT version:=""
July 2025 (Multiple CVEs) #
Microsoft has disclosed two vulnerabilities in certain versions of on-premises Microsoft SharePoint Server:
- SharePoint Server deserializes untrusted data without sufficiently ensuring that the resulting data will be valid resulting in a remote code execution (RCE) vulnerability. The vulnerability allows an unauthenticated adversary to remotely execute code on the vulnerable server. This vulnerability has been designated CVE-2025-53770 and has been rated critical with a CVSS score of 9.8. This vulnerability is a variant of a remote code execution vulnerability designated CVE-2025-49704 that was patched earlier this month. There is evidence that this vulnerability is being actively exploited in the wild.
- SharePoint Server improperly limits a pathname to a restricted directory allowing path traversal in Microsoft Office SharePoint resulting in a spoofing vulnerability. The vulnerability allows an authorized adversary to perform spoofing over a network. This vulnerability has been designated CVE-2025-53771 and has been rated medium with a CVSS score of 6.3. This vulnerability is a variant of a spoofing vulnerability designated CVE-2025-49706 that was patched earlier this month.
The following versions are affected
- Microsoft SharePoint Enterprise Server 2016 versions currently unknown
- Microsoft SharePoint Server 2019 versions currently unknown
- Microsoft SharePoint Server Subscription Edition versions 16.0.0 prior to 16.0.18526.20508
What is the impact? #
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Are any updates or workarounds available? #
As of 7/20/2025 security updates are available for Microsoft SharePoint Server Subscription Edition. A patch is currently unavailable for other affected versions, but Microsoft is actively working on a security update.
- Mitigate attacks against on-premises SharePoint Server environments by configuring the Windows Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers. This should stop an unauthenticated adversary from successfully exploiting the vulnerability.
- Rotate SharePoint Server ASP.NET machine keys.
Upgrade affected systems to the new versions when a patch is available.
How do I find Microsoft SharePoint Server installations with runZero? #
From the Software Inventory, use the following query to locate potentially impacted assets:
vendor:="Microsoft" AND product:="SharePoint Server%"