Microsoft patched multiple Exchange and SharePoint remote code execution flaws
Microsoft disclosed and patched several remote code execution vulnerabilities affecting Exchange Server and SharePoint Server, including Exchange flaws tracked as CVE-2023-21706, CVE-2023-28310, and CVE-2023-36439, alongside SharePoint issues CVE-2026-33110, CVE-2026-33112, and CVE-2026-40368. The SharePoint vulnerabilities were tied to deserialization of untrusted data and were rated Important, with CVSS scores of 8.8 for CVE-2026-33110 and CVE-2026-33112, and 8.0 for CVE-2026-40368.
Microsoft said CVE-2026-33110 could let an authenticated attacker with at least Site Member permissions execute code remotely on a vulnerable SharePoint Server, while CVE-2026-33112 required at least Site Owner privileges to inject and run arbitrary code. For CVE-2026-40368, exploitation involved a client connecting to a malicious server, potentially leading to code execution on the client. Microsoft reported that the SharePoint flaws were not publicly disclosed and not exploited in the wild at publication, assessed exploitation as less likely, and released fixes, including a shared KB update for SharePoint Server 2016 and SharePoint Enterprise Server 2016.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft releases fixes for three SharePoint RCE flaws
Microsoft disclosed CVE-2026-33110, CVE-2026-33112, and CVE-2026-40368 affecting SharePoint Server and Office SharePoint, all involving deserialization of untrusted data. Microsoft said none were publicly disclosed or exploited in the wild at publication and that official fixes were available.
Microsoft discloses CVE-2023-36439 for Exchange Server
Microsoft published security guidance for CVE-2023-36439, a Microsoft Exchange Server remote code execution vulnerability. The advisory represents a new Exchange Server RCE disclosure by Microsoft.
Microsoft discloses CVE-2023-28310 for Exchange Server
Microsoft published security guidance for CVE-2023-28310, another Microsoft Exchange Server remote code execution vulnerability. This marks a separate Exchange Server RCE disclosure in the Security Update Guide.
Microsoft discloses CVE-2023-21706 for Exchange Server
Microsoft published security guidance for CVE-2023-21706, a Microsoft Exchange Server remote code execution vulnerability. The reference indicates the vulnerability was formally disclosed in Microsoft's Security Update Guide.
Sources
6 references tracked. Mallory keeps watching after this page renders.
CVE-2026-33110 - Security Update Guide - Microsoft - Microsoft SharePoint Server Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-33112 - Security Update Guide - Microsoft - Microsoft SharePoint Server Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-40368 - Security Update Guide - Microsoft - Microsoft SharePoint Server Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2023-36439 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability
portal.msrc.microsoft.com
Open sourceCVE-2023-28310 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2023-21706 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Fixes Multiple Remote Code Execution Flaws Across SharePoint, Edge, Azure, and Power Pages
Microsoft published security advisories for several remote code execution vulnerabilities affecting **SharePoint**, **Microsoft Edge (Chromium-based)**, **Azure Orbital Spatio**, **Azure Virtual Network Gateway**, and **Microsoft Power Pages**, including `CVE-2026-45659`, `CVE-2026-45495`, `CVE-2026-40412`, `CVE-2026-40411`, and `CVE-2026-23652`. The most detailed disclosures focused on SharePoint Server, where Microsoft described `CVE-2026-35439` and `CVE-2026-40357` as **deserialization of untrusted data** flaws that could let authenticated attackers execute arbitrary code over the network on vulnerable servers. Microsoft rated both SharePoint issues **Important** with **CVSS 8.8** and said exploitation requires valid access, with `CVE-2026-35439` requiring at least **Site Owner** privileges and `CVE-2026-40357` requiring **Site Member** permissions. The company said neither flaw had been publicly disclosed or exploited in the wild at publication and assessed exploitation as less likely, while providing fixes that also apply to both **SharePoint Server 2016** and **SharePoint Enterprise Server 2016**. Microsoft also disclosed `CVE-2026-40362`, an **Excel** heap-based buffer overflow that can lead to remote code execution if a user opens a malicious Office file; Microsoft said the Preview Pane is not an attack vector and that a patch is available.
May 27, 2026
Microsoft Discloses Two SharePoint Remote Code Execution Vulnerabilities
Microsoft published security advisories for **CVE-2025-49704** and **CVE-2025-49701**, identifying both flaws as **Microsoft SharePoint Remote Code Execution** vulnerabilities. The entries were added to the Microsoft Security Update Guide, indicating that SharePoint deployments are affected by vulnerabilities that could allow code execution on targeted systems. The advisories provide formal tracking for two separate SharePoint RCE issues and signal that organizations running Microsoft SharePoint should review the associated update guidance and remediation information for both CVEs. The dual disclosure highlights concurrent risk in a widely used enterprise collaboration platform and raises the urgency for defenders to assess exposure across SharePoint environments.
Jun 12, 2026
Microsoft SharePoint Flaws Expose Internet-Facing Servers to Spoofing and RCE Risk
More than **1,370 internet-facing Microsoft SharePoint servers** were reported exposed to active exploitation of **`CVE-2026-32201`**, a spoofing vulnerability affecting SharePoint Server 2016, 2019, and Subscription Edition. Microsoft disclosed the flaw in April and CISA added it to the **Known Exploited Vulnerabilities** catalog the same day, underscoring the urgency for defenders. Although Microsoft scored the bug at **CVSS 6.5**, the risk is elevated because it can be exploited **remotely without authentication** against exposed on-premises deployments, potentially allowing attackers to impersonate users, access or alter sensitive content, steal credentials, and move laterally inside victim environments. The exposure comes amid broader concern over SharePoint security, including Microsoft's disclosure of **`CVE-2026-26106`**, a **remote code execution** vulnerability in SharePoint Server, and earlier reporting that a **China-linked threat actor** was involved in SharePoint attacks, according to Mandiant. The concentration of exposed systems was highest in the **United States**, and the combined reporting points to sustained attacker interest in SharePoint as a route into enterprise networks. Organizations were urged to apply Microsoft's available updates, reduce direct internet exposure of SharePoint servers, and closely monitor authentication and document-access activity for signs of compromise.
May 25, 2026