Microsoft Discloses Denial-of-Service Flaws in SharePoint Server and .NET Framework
Microsoft published security advisories for two denial-of-service vulnerabilities affecting widely deployed enterprise software: CVE-2024-43466 in Microsoft SharePoint Server and CVE-2026-23666 in the .NET Framework. Both entries were released through the Microsoft Security Response Center's Security Update Guide, identifying the products and impact category as denial of service.
The disclosures indicate that organizations running on-premises SharePoint environments or applications dependent on the .NET Framework should review Microsoft's update guidance and assess exposure across affected systems. While the advisories provided limited public technical detail, the combination of flaws highlights continued risk to core Microsoft infrastructure components that support collaboration platforms and business applications.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes advisory for CVE-2026-23666 in .NET Framework
Microsoft added CVE-2026-23666 to its Security Update Guide as a .NET Framework denial-of-service vulnerability.
Microsoft publishes advisory for CVE-2024-43466 in SharePoint Server
Microsoft added CVE-2024-43466 to its Security Update Guide as a Microsoft SharePoint Server denial-of-service vulnerability.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-23666 - Security Update Guide - Microsoft - .NET Framework Denial of Service Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-43466 - Security Update Guide - Microsoft - Microsoft SharePoint Server Denial of Service Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Discloses Two SharePoint Remote Code Execution Vulnerabilities
Microsoft published security advisories for **CVE-2025-49704** and **CVE-2025-49701**, identifying both flaws as **Microsoft SharePoint Remote Code Execution** vulnerabilities. The entries were added to the Microsoft Security Update Guide, indicating that SharePoint deployments are affected by vulnerabilities that could allow code execution on targeted systems. The advisories provide formal tracking for two separate SharePoint RCE issues and signal that organizations running Microsoft SharePoint should review the associated update guidance and remediation information for both CVEs. The dual disclosure highlights concurrent risk in a widely used enterprise collaboration platform and raises the urgency for defenders to assess exposure across SharePoint environments.
Jun 12, 2026
Microsoft SharePoint Flaws Expose Internet-Facing Servers to Spoofing and RCE Risk
More than **1,370 internet-facing Microsoft SharePoint servers** were reported exposed to active exploitation of **`CVE-2026-32201`**, a spoofing vulnerability affecting SharePoint Server 2016, 2019, and Subscription Edition. Microsoft disclosed the flaw in April and CISA added it to the **Known Exploited Vulnerabilities** catalog the same day, underscoring the urgency for defenders. Although Microsoft scored the bug at **CVSS 6.5**, the risk is elevated because it can be exploited **remotely without authentication** against exposed on-premises deployments, potentially allowing attackers to impersonate users, access or alter sensitive content, steal credentials, and move laterally inside victim environments. The exposure comes amid broader concern over SharePoint security, including Microsoft's disclosure of **`CVE-2026-26106`**, a **remote code execution** vulnerability in SharePoint Server, and earlier reporting that a **China-linked threat actor** was involved in SharePoint attacks, according to Mandiant. The concentration of exposed systems was highest in the **United States**, and the combined reporting points to sustained attacker interest in SharePoint as a route into enterprise networks. Organizations were urged to apply Microsoft's available updates, reduce direct internet exposure of SharePoint servers, and closely monitor authentication and document-access activity for signs of compromise.
May 25, 2026
Zero-Day SharePoint Server Flaws Trigger Emergency Patching and KEV Action
Microsoft issued emergency guidance after attackers exploited zero-day flaws in on-premises **Microsoft SharePoint Server** in campaigns that hit businesses and at least some U.S. government agencies. In one wave, researchers tracked a variant of `CVE-2025-49706` dubbed **"ToolShell,"** warning it could grant full access to SharePoint file systems and connected Microsoft services such as Teams and OneDrive. Microsoft said **SharePoint Online** was not affected, while fixes were released for SharePoint Server 2019 and Subscription Edition and a SharePoint Server 2016 patch was still pending at the time of reporting. U.S. CISA later added another actively exploited SharePoint zero-day, `CVE-2026-32201`, to its **Known Exploited Vulnerabilities** catalog and ordered Federal Civilian Executive Branch agencies to remediate it under **BOD 22-01**. Security firms including Eye Security, CrowdStrike, Google Threat Intelligence Group, and Palo Alto Networks warned that internet-facing SharePoint deployments in government, education, healthcare, and large enterprises face elevated risk, with defenders urged to patch quickly, isolate exposed servers if needed, rotate cryptographic material, and engage incident response support where compromise is suspected.
May 25, 2026