Microsoft has released security updates to address a critical remote code execution vulnerability in SharePoint Server 2019, tracked as CVE-2026-40365. The patch, delivered via the SharePoint Server security update KB5002870, was published on May 12, 2026 as part of the monthly Patch Tuesday cycle. Administrators running on-premises SharePoint farms are urged to apply the fix immediately.

What Is CVE-2026-40365?

CVE-2026-40365 is a remote code execution (RCE) vulnerability residing in Microsoft SharePoint Server 2019. An attacker who successfully exploits this flaw can execute arbitrary code on the target server with the privileges of the application pool identity. In most default configurations, this account has significant local permissions, potentially allowing full server compromise.

The vulnerability stems from improper handling of serialized data within a SharePoint component. While Microsoft has not disclosed the exact entry point, similar historical SharePoint RCEs have often involved the deserialization of untrusted data in web services or APIs exposed by the platform. This allows an attacker to craft a malicious payload that, when processed by SharePoint, triggers code execution.

The Common Vulnerability Scoring System (CVSS) v3.1 score for CVE-2026-40365 is 9.8 out of 10, categorized as Critical. The attack vector is network-based, requires low complexity, no user interaction, and can be executed without authentication. This combination makes the vulnerability particularly dangerous, as it can be exploited automatically by unauthenticated remote attackers scanning the internet.

Technical Breakdown

SharePoint Server relies heavily on .NET serialization for managing state, workflow, and inter-component communication. Previous RCEs like CVE-2020-1181 and CVE-2022-21855 abused the BinaryFormatter or DataContractSerializer to inject malicious objects. Although Microsoft has introduced stricter type validation in recent versions, gaps still emerge when custom or legacy components accept serialized data from untrusted sources.

CVE-2026-40365 likely follows a similar pattern. Exploitation typically involves sending a specially crafted HTTP POST request to a vulnerable SharePoint web service endpoint. The payload contains a serialized object that, upon deserialization, invokes a gadget chain leading to command execution. Because SharePoint Web Applications are externally accessible in many organizations, an attacker only needs network connectivity to the front-end servers.

Microsoft has rated this as “Exploitation More Likely” under its exploitability index, indicating that reliable exploit code could be crafted and used in real-world attacks soon after disclosure.

Affected Versions

The following SharePoint Server 2019 builds are affected:

  • SharePoint Server 2019 (all editions) running any patch level prior to the May 2026 security update.
  • SharePoint Foundation 2019 is not separately patched; it shares the same update package.

Note that SharePoint Server Subscription Edition and SharePoint Server 2016 are not listed as affected in the advisory, though administrators should still review the May 2026 security notes for other fixes. Office Online Server may also be impacted if it integrates with SharePoint, but Microsoft’s guidance typically treats it as a separate product.

The Fix: KB5002870

The security update KB5002870 resolves the vulnerability by implementing proper input validation and restricting allowed types during deserialization. Microsoft has also backported hardening features from later product versions to minimize the attack surface.

This patch is cumulative, meaning it includes all previously released security and quality improvements for SharePoint Server 2019. After applying the update, the build number for SharePoint Server 2019 should be 16.0.10397.20000 or higher, depending on the specific edition.

How to Apply the Patch

Administrators should follow these steps:

  1. Download the update from the Microsoft Update Catalog or via WSUS/Configuration Manager. The direct download link for KB5002870 can be found in the Microsoft Update Catalog by searching for the KB number.
  2. Run the executable (ubersrv_1.cab or ubersrv_2.cab depending on language) on each server in the farm that runs SharePoint Foundation web application or Application server roles.
  3. After installation, run the SharePoint Products Configuration Wizard on each server to upgrade the databases and components.
  4. Verify the build number by checking Central Administration > System Settings > Manage servers in this farm.

A reboot is typically required. Always schedule the maintenance window carefully, as all SharePoint servers in the farm must be updated to the same patch level for full protection.

If the organization uses a hybrid environment (on-premises SharePoint integrated with SharePoint Online), ensure that the Search, User Profiles, and other service applications continue to function after the update. Microsoft often releases additional guidance for hybrid scenarios.

Workarounds and Mitigations

For organizations that cannot immediately deploy the patch, Microsoft suggests a potential workaround: blocking access to the vulnerable web service endpoint at the network level. In many previous SharePoint deserialization RCEs, the attack vector was a specific .svc or .aspx file under the _vti_bin directory. While Microsoft has not disclosed the exact path, historical patterns may indicate that temporarily restricting access to untrusted sources for all _vti_bin services or applying IP-based restrictions could reduce risk.

A more robust temporary measure is to use URL Rewrite rules in IIS to reject requests containing suspicious deserialization payloads. For instance, blocking requests with a Content-Type header of “application/octet-stream” to certain endpoints has been effective in the past, but such filtering may break legitimate integration. Administrators should test thoroughly.

For internet-facing SharePoint sites, enabling Web Application Firewall (WAF) rules that inspect deserialization attacks can add a layer of defense. Microsoft does not recommend disabling the SharePoint Web Application or uninstalling features, as this could impact business operations.

Why SharePoint RCEs Keep Happening

SharePoint’s complex architecture and reliance on .NET serialization has made it a frequent target for security researchers and attackers. Since 2020, Microsoft has patched over a dozen critical-rated RCEs in the product, many with similar deserialization root causes. The challenge is exacerbated by the vast number of custom solutions, third-party add-ons, and legacy APIs still in use within enterprise deployments.

Microsoft has been migrating SharePoint Online to a more isolated, service-oriented architecture, which reduces the impact of such bugs in the cloud. But on-premises customers must shoulder the patching burden themselves, and many environments lag behind due to rigid change control processes or fear of breaking customizations.

This vulnerability underscores the importance of a robust patch management strategy and the principle of least privilege. In a well-hardened SharePoint farm, the application pool identity should have minimal rights on the operating system and limited access to the database server, making post-exploitation activities harder.

Community and Expert Reaction

Although no specific forum discussions were available at the time of this writing, early responses from the SharePoint community on Twitter and Reddit have been swift. Many administrators expressed frustration over the frequency of such critical patches and questioned whether Microsoft’s secure development lifecycle is effective enough for on-prem products. One common theme is the difficulty of testing and deploying out-of-band security fixes, even when the patches are released during Patch Tuesday.

Some experts recommend that organizations move toward a “zero-trust” model for SharePoint, assuming that any front-end server can be compromised and limiting lateral movement accordingly. Others advocate for putting SharePoint behind a reverse proxy or VPN to restrict direct internet exposure.

Additional May 2026 Security Updates

Alongside CVE-2026-40365, Microsoft addressed several other vulnerabilities affecting SharePoint and related technologies. Notably, CVE-2026-40366 is an elevation of privilege bug in SharePoint Server 2016 and 2019 that also required attention. Administrators should review the full May 2026 security release notes for Exchange Server, Office, and Windows Server updates that could impact the security posture of their SharePoint farms.

Exchange Server often shares infrastructure with SharePoint, and a critical Exchange RCE could also lead to SharePoint compromise through forged credentials. Therefore, a holistic patching approach is necessary.

Looking Ahead

Patch cycle consistency is critical. With CVE-2026-40365, Microsoft has demonstrated its commitment to fixing serious flaws, but the pattern of recurring deserialization vulnerabilities suggests deeper architectural remediation may be required. For on-premises SharePoint, the recommended path is to upgrade to SharePoint Server Subscription Edition, which receives more frequent and modern security improvements.

In the short term, every SharePoint administrator should prioritize this patch. The combination of network accessibility and the lack of required user interaction makes it a prime target for automated exploitation and ransomware attacks. A single unpatched server could grant attackers a foothold into the corporate network.

Stay tuned to Windows News for ongoing coverage, and always refer to the official Microsoft Security Response Center (MSRC) portal for the latest guidance.