Microsoft has released a critical security update to address CVE-2026-33110, a remote code execution vulnerability in SharePoint Server 2016. The patch is bundled under a knowledge base article that the Microsoft Update Catalog labels for "SharePoint Enterprise Server 2016," but the company explicitly states that the same KB applies to all supported editions of the product. This means administrators running SharePoint Server 2016 Standard or Foundation must download and install the update immediately, even if the catalog entry suggests it targets the Enterprise SKU.

The advisory arrives amid a shrinking support window: SharePoint Server 2016 extended support ends on July 14, 2026. For organizations still running this version—which remains widespread in on-premises environments—the vulnerability represents a serious threat. Microsoft has assigned the flaw a high severity rating and confirms that exploitation is more likely than not, underscoring the urgency.

The nature of CVE-2026-33110

CVE-2026-33110 is a remote code execution (RCE) vulnerability. While full technical details have not been disclosed at the time of writing, typical SharePoint RCE flaws allow an attacker to craft a malicious input—often a web request, document, or package—that triggers the execution of arbitrary code on the target server. Successful exploitation can lead to full system compromise, data exfiltration, lateral movement within a network, or the establishment of persistent backdoors.

Microsoft’s own CVSS v3.1 score for this vulnerability is 8.8, placing it firmly in the high category. The attack vector is network-based, requires low complexity, and can be executed without user interaction if specific conditions are met, though the exact prerequisites depend on the vulnerable component. In previous SharePoint RCE disclosures, flaws have often resided in the workflow engine, the document parsing pipeline, or the way the platform handles custom web parts and application pages. Without official details, security teams should assume the worst: an unauthenticated attacker might leverage this vulnerability if the SharePoint server is internet-facing.

Why the edition label confuses patching

SharePoint Server 2016 ships in three editions: Foundation, Standard, and Enterprise. All share an identical code base and the same set of system files. The edition is determined solely by the product key entered during installation, which unlocks features like Excel Services, Access Services, or the Business Data Connectivity service in the Enterprise edition. Because the binaries are the same, security updates that patch those binaries apply uniformly to every edition, regardless of what the download page says.

The Microsoft Update Catalog frequently lists the patch under a single product name for brevity. "SharePoint Enterprise Server 2016" is the most commonly observed label in the catalog, but this is an artifact of the packaging process, not an indicator of compatibility. Recently, Microsoft has taken to adding clarifying notes directly in the Security Update Guide, and for CVE-2026-33110, that message is explicit: “The security update for SharePoint Enterprise Server 2016 also applies to SharePoint Server 2016.”

Administrators who skip the KB because they run Standard or Foundation leave their farms exposed. Worse, if an administrator filters updates by product name in WSUS or Configuration Manager, the patch might not appear at all unless the Enterprise variant is selected. This has been a recurring pain point for SharePoint patching since the 2013 release, and CVE-2026-33110 revives the confusion at a moment when every unpatched day carries significant risk.

Affected configurations

CVE-2026-33110 affects the following on-premises versions:

  • SharePoint Server 2016 (all editions)
  • SharePoint Foundation 2016

Note that SharePoint Foundation 2016 reached its end of extended support on July 14, 2026. If this vulnerability is disclosed before that date, Microsoft is contractually obliged to provide a security update. However, after that date, the product would be out of support, and no further patches would be offered. Organizations still using Foundation must treat this update as a final lifeline and plan an immediate migration to a supported platform.

The vulnerability does not affect SharePoint Online or SharePoint Server 2019 and later, which are built on a different code base and have their own separate servicing pipelines.

How to obtain and install the update

The security update for CVE-2026-33110 is distributed through all standard Microsoft release channels:

  • Microsoft Update and Windows Update: If the SharePoint server has automatic updates enabled and is configured to receive updates for other Microsoft products, the patch will be offered automatically.
  • Microsoft Update Catalog: Administrators can search for the specific KB number (which will be listed in the CVE article) and download the standalone .exe or .msi packages. This is the recommended method for offline or controlled deployments.
  • Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager: The update is synchronized under the “SharePoint Server 2016” product category. Ensure that the “Enterprise” entry is selected if filtering by product.

Before installation, it is critical to stop the SharePoint Timer Service and the World Wide Web Publishing Service on all servers in the farm, install the update on each server, and then run the SharePoint Products Configuration Wizard to upgrade the databases and web applications. Microsoft’s official documentation provides a detailed step-by-step rollup installation guide that applies to this security update as well.

Verification and detection

After installation, administrators can verify a successful patch by checking the file versions of key assemblies or by examining the control panel’s installed updates list. The specific KB article will detail the updated binaries and their expected version numbers.

Organizations that use vulnerability scanners such as Qualys, Tenable Nessus, or Rapid7 InsightVM should see detection plugins published within 24 hours of the release. Microsoft Defender for Endpoint and other EDR solutions that include vulnerability management modules will also flag unpatched servers.

It is worth manually checking that the SharePoint Products Configuration Wizard completed successfully on each server. An incomplete wizard run leaves the farm in an unsupported state where the binaries are patched but the database schema is not, which can lead to functional errors.

Mitigations and workarounds

As of the advisory publication, Microsoft has not listed any workarounds or mitigating factors. This is common for RCE vulnerabilities of high severity. Disabling unnecessary services or blocking specific ports might reduce the attack surface locally, but it cannot prevent exploitation of the underlying flaw if the vulnerable component is accessible.

For internet-facing SharePoint sites, the most effective interim measure is to restrict access to trusted IP addresses via a web application firewall, VPN, or IIS IP restrictions until the patch can be applied. However, this is a temporary stopgap. The update itself remains the only complete protection.

The broader context of SharePoint security

SharePoint Server 2016 has been a frequent target in large-scale attacks. CVE-2019-0604, CVE-2020-0646, and CVE-2020-16952 are among the remote code execution vulnerabilities that nation-state actors and ransomware gangs have chained together to compromise SharePoint farms. The platform’s deep integration with Active Directory and its common role as a document repository make it a high-value target.

This CVE arrives in 2026, a year in which Microsoft’s security response has been tested by a steady stream of endpoint and server vulnerabilities. The SharePoint product group continues to release on-premises updates, even as the broader industry pushes toward cloud-only solutions. For many regulated industries—finance, healthcare, government—on-premises SharePoint remains indispensable, and the security burden falls squarely on IT teams.

Patching before end of extended support

With extended support for SharePoint Server 2016 ending on July 14, 2026, CVE-2026-33110 may represent one of the last critical updates for this product line. After that date, no further security fixes will be provided unless an organization has purchased a custom support agreement (which is rarely economical). The hard deadline adds weight to each remaining release, encouraging administrators to not only apply this update but to also accelerate migration projects to SharePoint Server Subscription Edition or SharePoint Online.

Practical steps for SharePoint administrators

  1. Identify the KB: Visit the Microsoft Security Response Center (MSRC) page for CVE-2026-33110 to find the exact KB number.
  2. Download the package: From the Microsoft Update Catalog, search by KB number and select the file that matches your server architecture (x64).
  3. Plan a maintenance window: Coordinate with business owners, as the configuration wizard requires a brief outage.
  4. Back up your farm: Take a full SQL backup of all content and service application databases before starting.
  5. Install on all servers: Apply the update to each web front end, application server, and the central administration server.
  6. Run the configuration wizard: Execute PSConfig.exe or use the GUI wizard on every server sequentially.
  7. Validate functionality: Test key workloads—search, user profiles, workflows—to confirm the farm is fully operational.
  8. Monitor for anomalies: Watch event logs and feedback from users in the days following the patch for any regressions.

Conclusion

CVE-2026-33110 is a critical remote code execution vulnerability in SharePoint Server 2016 that demands immediate attention. The security update resolves the issue, but administrators must not be misled by edition labels in the Microsoft Update Catalog. The patch listed for SharePoint Enterprise Server 2016 is the identical binary needed to protect Standard and Foundation deployments. With extended support ending in mid-2026, this vulnerability serves as both a pressing security crisis and a stark reminder that the clock has nearly run out for SharePoint Server 2016. Apply the update without delay, and if your organization has not yet begun planning a migration, now is the time.