Latest SharePoint Server vulnerability: CVE-2026-55040 #

Rapid7 disclosed that certain versions of SharePoint Server are affected by an authentication bypass vulnerability stemming from weaknesses in how it validates JSON Web Tokens (JWTs). A remote, unauthenticated attacker who knows or enumerates a target user's Active Directory Security ID (SID) or User Principal Name (UPN) can leverage this flaw to bypass authentication checks. Successful exploitation grants the attacker unauthorized access, allowing them to perform actions, disclose files, and modify data under the identity of the impersonated user, including administrators. The vulnerability has been designated CVE-2026-55040 and has been rated critical with a CVSS score of 9.1.

Vulnerability researchers disclosed that this is the first link in a high-impact, two-vulnerability exploit chain originally developed for the Pwn2Own Berlin hacking competition. The second vulnerability, yet to be publicly disclosed, is a remote code execution (RCE) flaw. Microsoft plans to patch the RCE vulnerability during its August 2026 security update cycle. Applying the July 2026 patch for CVE-2026-55040 is critical, as it successfully disrupts this exploit chain and prevents unauthenticated RCE.

The following versions are affected

  • SharePoint Enterprise Server 2016: Versions prior to 16.0.5561.1001
  • SharePoint Server 2019: Versions prior to 16.0.10417.20175
  • SharePoint Server Subscription Edition: Versions prior to 16.0.19725.20434

    What is Microsoft SharePoint? #

    Microsoft SharePoint is a web-based collaboration and document management platform, available both within Microsoft 365 and as on-premises software, that serves as a secure, centralized hub for storing, organizing, and sharing information across devices.

    What is the impact? #

    Successful exploitation of this vulnerability allows an unauthenticated attacker to bypass security checks, impersonate valid users, and gain unauthorized access to disclose or modify sensitive data on the SharePoint server.

    Are any updates or workarounds available? #

    Users are encouraged to update to the latest version as quickly as possible:

    • SharePoint Enterprise Server 2016: Upgrade to version 16.0.5561.1001 or later.
    • SharePoint Server 2019: Upgrade to version 16.0.10417.20175 or later.
    • SharePoint Server Subscription Edition: Upgrade to version 16.0.19725.20434 or later.

      How do I find Microsoft SharePoint Server installations with runZero? #

      From the Software Inventory, use the following query to locate potentially impacted assets:

      vendor:=Microsoft AND version:>0 AND (
        (product:="SharePoint Server 2016" AND (version:>=16.0.4107.1002 AND version:<16.0.5561.1001)) OR
        (product:="SharePoint Server 2019" AND (version:>=16.0.10337.12109 AND version:<16.0.10417.20175)) OR
        (product:="SharePoint Server Subscription Edition" AND (version:>=16.0.0.1 AND version:<16.0.19725.20434))
        )

      March 2026: CVE-2026-20963 #

      On January 13, 2026, Microsoft disclosed a remote code execution vulnerability, designated CVE-2026-20963, in Microsoft SharePoint. The vulnerability is due to deserialization of untrusted data in Microsoft SharePoint which allows a remote, unauthenticated attacker attacker to execute code over a network.

      While initially released with a CVSS score of 8.8, the score was updated to 9.8 on March 17, 2026.

      This vulnerability is known to be exploited in the wild and was added to the CISA.gov Known Exploited Vulnerabilities (KEV) list on March 18, 2026.

        The following versions are affected:

        • SharePoint Enterprise Server 2016 before version 16.0.5535.1001
        • SharePoint Server 2019 before version 16.0.10417.20083
        • SharePoint Server Subscription Edition before version 16.0.19127.20442

            What is the impact? #

            Successful exploitation of this vulnerability would allow a remote, unauthenticated attacker to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

            Are any updates or workarounds available? #

            Upgrade affected versions of SharePoint Server to the latest patched version.

            • SharePoint Enterprise Server 2016 version 16.0.5535.1001 or later

            • SharePoint Server 2019 version 16.0.10417.20083 or later

            • SharePoint Server Subscription Edition version 16.0.19127.20442 or later

              How do I find Microsoft SharePoint Server installations with runZero? #

              From the Software Inventory, use the following query to locate potentially impacted assets:

              vendor:=Microsoft AND (
                (product:="SharePoint Server 2016" AND (version:>=16.0 AND version:<16.0.5535.1001)) OR
                (product:="SharePoint Server 2019" AND (version:>=16.0 AND version:<16.0.10417.20083)) OR
                (product:="SharePoint Server Subscription Edition" AND (version:>=16.0 AND version:<16.0.19127.20442))
                ) AND NOT version:=""

              July 2025 (Multiple CVEs) #

              Microsoft has disclosed two vulnerabilities in certain versions of on-premises Microsoft SharePoint Server:

              • SharePoint Server deserializes untrusted data without sufficiently ensuring that the resulting data will be valid resulting in a remote code execution (RCE) vulnerability. The vulnerability allows an unauthenticated adversary to remotely execute code on the vulnerable server. This vulnerability has been designated CVE-2025-53770 and has been rated critical with a CVSS score of 9.8. This vulnerability is a variant of a remote code execution vulnerability designated CVE-2025-49704 that was patched earlier this month. There is evidence that this vulnerability is being actively exploited in the wild.
              • SharePoint Server improperly limits a pathname to a restricted directory allowing path traversal in Microsoft Office SharePoint resulting in a spoofing vulnerability. The vulnerability allows an authorized adversary to perform spoofing over a network. This vulnerability has been designated CVE-2025-53771 and has been rated medium with a CVSS score of 6.3. This vulnerability is a variant of a spoofing vulnerability designated CVE-2025-49706 that was patched earlier this month.

              The following versions are affected

              • Microsoft SharePoint Enterprise Server 2016 versions currently unknown
              • Microsoft SharePoint Server 2019 versions currently unknown
              • Microsoft SharePoint Server Subscription Edition versions 16.0.0 prior to 16.0.18526.20508

                  What is the impact? #

                  Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

                  Are any updates or workarounds available? #

                  As of 7/20/2025 security updates are available for Microsoft SharePoint Server Subscription Edition. A patch is currently unavailable for other affected versions, but Microsoft is actively working on a security update.

                  • Mitigate attacks against on-premises SharePoint Server environments by configuring the Windows Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers. This should stop an unauthenticated adversary from successfully exploiting the vulnerability.
                  • Rotate SharePoint Server ASP.NET machine keys.
                  • Upgrade affected systems to the new versions when a patch is available.

                    How do I find Microsoft SharePoint Server installations with runZero? #

                    From the Software Inventory, use the following query to locate potentially impacted assets:

                    vendor:="Microsoft" AND product:="SharePoint Server%"

                    Written by Matthew Kienow

                    Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

                    More about Matthew Kienow

                    Written by Tom Sellers

                    Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

                    More about Tom Sellers
                    Subscribe Now

                    Get the latest news and expert insights delivered in your inbox.

                    Welcome to the club! Your subscription to our newsletter is successful.

                    Explore more runZero

                    Product
                    Announcing runZero 5.0: Exposure management built to outpace AI-driven attacks
                    When you're up against AI, every minute counts. Get deep, actionable intelligence across your entire attack surface to close the gaps and hold the...
                    Product Videos
                    runZero 5.0: Platform Demo
                    With the new 5.0 release, runZero is giving defenders the edge they need to succeed in the AI-attack era.
                    runZero Perspective
                    BOD 26-04: A new era of prioritized remediation
                    A complete breakdown of CISA's BOD 26-04 directive. Learn how the shift to SSVC, risk-based KEV prioritization, and 3-day remediation impacts your...
                    runZero Perspective
                    Dawn of the apex agentic adversary
                    When agentic AI can weaponize exploits in seconds, visibility is everything. Stop the predator with runZero’s exposure management for the AI-attack...
                    Podcasts
                    The shadow era AI, exploits, and cybersecurity's 90s comeback
                    HD Moore explains how AI is turning hacking back to the 90s, generating permanent exploit skeleton keys and breaking traditional defense.
                    Talks
                    Identifying exposures at scale with BloodHound OpenGraph
                    Traditional exposure management misses hidden attack paths. Learn how BloodHound and Cypher queries can uncover vulnerabilities beyond individual...
                    Podcasts
                    When is a vulnerability not a vulnerability?
                    Attackers care about outcomes, not CVEs. Tod Beardsley joins Distilled Security to discuss reframing risk from checklist compliance to adversary...
                    Podcasts
                    Know Your Adversary with HD Moore
                    runZero CEO HD Moore breaks down the myth of air-gapped networks, the impact of AI on security, and why asset connectivity is everything.

                    See Results in Minutes

                    See & secure your total attack surface. Even the unknowns & unmanageable.