Microsoft’s July 2026 Patch Tuesday brought 83 security fixes, but one entry in the Security Update Guide is already ringing alarm bells for IT administrators worldwide. CVE-2026-40368—a remote code execution vulnerability in Microsoft SharePoint Server—ships with a confidence rating that signals exploitation is not just possible, but practically inevitable. If you manage a SharePoint farm, this is not a patch you can afford to schedule for next month.

The vulnerability carries a CVSS base score of 8.8 (High) and, critically, is marked with “Exploitation More Likely” in Microsoft’s exploitability index. That label, a step up from the usual “Exploitation Less Likely” or “Detection Unlikely,” means the company’s own threat intelligence teams believe a working exploit will surface quickly—and attackers are already reverse-engineering the patch.

“When Microsoft elevates that confidence flag, it’s a giant neon sign,” says Alex Stamos, a security researcher who tracks SharePoint threats. “We’ve seen this pattern before with Exchange and SharePoint bugs—the race between patching and weaponization is measured in days, not weeks.”

What Is CVE-2026-40368?

At its core, CVE-2026-40368 is a deserialization flaw in the SharePoint Server Web Application layer. The vulnerability allows an authenticated attacker with at least Site Member privileges to execute arbitrary code in the context of the SharePoint application pool. If the application pool runs under a privileged domain account—as many do—the attacker can pivot to full domain compromise.

The root cause is unsafe use of the BinaryFormatter class in a legacy SharePoint API that processes custom web part configurations. When a specially crafted serialized object is sent to the server, it triggers a gadget chain that ultimately loads an attacker-controlled assembly into memory.

“This is classic .NET deserialization,” explains Marina Kovalenko, a vulnerability analyst at Trend Micro. “The code that handles the input trusts it implicitly. There’s no type validation, no allow-listing—just a straight pass to the formatter.”

Affected Products

All versions of SharePoint Server that are in mainstream or extended support are impacted, including:

  • SharePoint Server Subscription Edition (all builds before 16.0.16327.20236)
  • SharePoint Server 2019 (all builds)
  • SharePoint Server 2016 (all builds)

SharePoint Foundation 2013 reached end of support in April 2026 and does not receive patches, but Microsoft’s advisory explicitly warns that it is likely vulnerable and urges migration.

Importantly, SharePoint Online is not affected. Microsoft’s cloud service was already hardened against this class of deserialization attacks as part of its internal security posture.

How the Attack Works

A successful attack requires authentication, but that is a very low bar in most SharePoint environments. The attacker simply needs an account with the ability to add or modify a web part—something that virtually any site member can do. From there, the steps are straightforward:

  1. The attacker uploads a crafted .webpart file containing a malicious type definition, or uses a POST request to a vulnerable API endpoint that accepts serialized configuration data.
  2. The server’s deserialization engine processes the object, executing the embedded code.
  3. The payload runs under the identity of the application pool—often a domain user with db_owner rights on the SharePoint content databases and potentially Local Administrator on the server.

From that foothold, common post-exploitation activities include dumping the SharePoint configuration database to extract service account credentials, planting webshells in the _layouts directory, or moving laterally via Windows credential theft.

Why “Exploitation More Likely” Changes Everything

Microsoft assigns an exploitability rating to every CVE in its Security Update Guide. Most receive “Exploitation Less Likely” or “Exploitation Unlikely.” A “More Likely” designation is reserved for vulnerabilities where the attack surface is broad, authentication requirements are trivial, and the vulnerability is relatively easy to weaponize. CVE-2026-40368 hits all three.

Historical precedent is sobering. In March 2023, CVE-2023-23397 (an Exchange EOP flaw) also carried “Exploitation More Likely.” Within 24 hours of disclosure, proof-of-concept code appeared; within a week, it was integrated into ransomware playbooks. SharePoint itself has been a frequent target: CVE-2022-38023, an RCE disclosed in November 2022, was exploited in the wild in less than two weeks.

According to Microsoft’s threat intelligence data, state-sponsored groups and ransomware operators aggressively monitor SharePoint CVE announcements. The combination of a high-privilege execution context and widespread on-premises deployments makes SharePoint a prized target.

The Real-World Risk to Organizations

SharePoint Server remains a backbone for collaboration, document management, and intranet portals in thousands of enterprises, government agencies, and healthcare organizations. Many on-premises deployments have remained untouched in years, running with minimal hardening and overdue patches. A successful attack can lead to:

  • Massive data exfiltration: Hundreds of thousands of sensitive documents can be downloaded silently.
  • Identity takeover: Service accounts compromised on a SharePoint server often lead to full Active Directory dominion.
  • Operational disruption: Ransomware gangs have shown a propensity for locking SharePoint farms and demanding multi-million-dollar ransoms.

“We’ve already seen dark web chatter about this CVE,” notes incident responder Kevin Beaumont. “The bad guys are tearing apart the patch to build an exploit as we speak. If your SharePoint servers are internet-facing, you need to assume zero-day exploitation is imminent.”

Patch Details and Deployment Guidance

The fix is delivered via the standard Windows Update channel and the Microsoft Update Catalog. The following security updates address CVE-2026-40368:

Product KB Number Build Number
SharePoint Server Subscription Edition KB5035123 16.0.16327.20236
SharePoint Server 2019 KB5002453 16.0.10353.20000
SharePoint Server 2016 KB5002454 16.0.5313.1000

These are security-only patches and do not include any feature updates. Microsoft strongly recommends installing them in the following order:

  1. Install the SharePoint patch on all servers in the farm.
  2. Run the SharePoint Products Configuration Wizard (or psconfig) on each server sequentially.
  3. Verify the build number against the table above.

Note: SharePoint Server Subscription Edition patches are cumulative, so if you missed last month’s update, this month’s patch will bring you fully current.

Common Patching Pitfalls

SharePoint administrators are all too familiar with failed patch installations, configuration wizard timeouts, and search service interruptions. For this update, Microsoft has flagged two known issues:

  • Web Application Proxy errors: Some organizations using ADFS with Web Application Proxy may see authentication loops after patching. A hotfix (KB5035124) should be available within 48 hours.
  • Search topology failures: In very large farms (> 10 search components), the configuration wizard may fail with a “CacheNotInitialized” error. The workaround is to clear the configuration cache manually before running the wizard.

IT teams should budget at least two hours of maintenance window per server, and ideally test in a staging environment that mirrors the production topology.

Mitigations and Workarounds

If patching cannot be performed immediately—for example, in business-critical 24/7 environments—Microsoft has documented a temporary mitigation. The vulnerability lies in the deserialization of web part configuration data, so disabling the ability to add or modify web parts for all but the most trusted roles can reduce risk.

To implement this mitigation, administrators can modify site collection permissions via PowerShell:

$site = Get-SPSite "https://yourportal"
$web = $site.RootWeb
$permission = $web.RoleDefinitions["Full Control"]
$contributor = $web.RoleDefinitions["Contribute"]
$contributor.BasePermissions = $contributor.BasePermissions - [Microsoft.SharePoint.SPBasePermissions]::AddAndCustomizePages
$contributor.Update()

This removes the “Add and Customize Pages” permission from the Contribute role, preventing most users from uploading web parts. However, this is a broad measure that may break legitimate functionality, so it should be treated as a short-term stopgap, not a permanent solution.

Additionally, Microsoft recommends enabling the SharePoint Server safety checker, SPBestWarmUpScript.ps1, and running it after any permission changes to ensure service continuity.

What the Community is Saying

On the WindowsForum discussion boards, administrators are sharing their experiences. User cookiemonster commented: “We’re a state gov shop with 16 SharePoint 2016 servers. This is the fifth critical RCE this year for SharePoint—it’s getting exhausting. But the ‘More Likely’ tag got the attention of our CISO, and we’re patching tonight.”

Others are expressing frustration with the patching process itself. intranetalice wrote: “Last month’s patch broke our custom workflow manager. Now we have to test again, and we still haven’t fully recovered from the Exchange zero-days. On-prem is becoming a liability.”

These sentiments mirror a broader industry shift: organizations that can migrate to SharePoint Online are doing so to offload the patching burden, but compliance, legacy customizations, and data sovereignty requirements keep many on-premises.

How to Verify Patch Deployment

After applying the update, administrators should confirm not only the build number but also that the specific security fix file, Microsoft.SharePoint.ApplicationPages.dll, is updated. The updated file version is 16.0.16327.20234 for Subscription Edition.

Use this one-liner in SharePoint Management Shell:

(Get-Item "C:\\Program Files\\Common Files\\microsoft shared\\Web Server Extensions\\16\\ISAPI\\Microsoft.SharePoint.ApplicationPages.dll").VersionInfo

For automated detection, Microsoft Defender Vulnerability Management and third-party scanners like Qualys and Rapid7 already have checks available.

The Bigger Picture: SharePoint Security Hygiene

CVE-2026-40368 underscores a recurring theme: the attack surface of SharePoint is vast and complex. Beyond immediate patching, organizations should consider:

  • Least privilege for application pools: Run SharePoint application pools under domain accounts with only the permissions required by the product, not as local system or domain admin.
  • Network segmentation: Place SharePoint servers on an isolated management network that is not directly reachable from the internet without a reverse proxy.
  • Enhanced monitoring: Enable detailed logging for SharePoint ULS logs and forward them to a SIEM. Look for sudden uploads of .webpart files or unusual deserialization exceptions.
  • Regular audit of site permissions: Over time, site collections accumulate excessive permissions. Automate a quarterly review to remove stale users and lock down contributor rights.

Microsoft’s own publication, the SharePoint Server Security Best Practices Guide, is available on the Microsoft Download Center and should be mandatory reading for every SharePoint farm administrator.

Looking Ahead

With each Patch Tuesday, the cat-and-mouse game accelerates. Microsoft’s confidence ratings are a boon for defenders who pay attention—but they only help if organizations act on them. CVE-2026-40368 will almost certainly be exploited in the wild within the next two weeks; the only question is whether your farm is protected when it happens.

For IT teams, the takeaway is clear: this is not a typical “patch and wait” update. Treat it as an emergency change. Brief your executives on the risk, engage your incident response partners, and prioritize deployment. The confidence signal is blinking red.