Cyber Resilience

CVE-2026-33112

HighRCE

Published: 12 May 2026

Published
12 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0211 79.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33112 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability CVE-2026-33112 stems from deserialization of untrusted data, tracked under CWE-502, in Microsoft Office SharePoint. It received a CVSS 3.1 base score of 8.8 reflecting network attack vector, low attack complexity, and low privileges required without user interaction, yielding high impact across confidentiality, integrity, and availability.

An authorized attacker with network access can supply malicious serialized data to trigger remote code execution on the affected SharePoint instance, enabling full compromise of the target system.

Microsoft has published an advisory addressing the issue at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33112. The associated EPSS score remains flat at 0.0195 with no material increase observed since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Deserialization RCE in network-accessible SharePoint directly enables remote code execution against a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59237Same product: Microsoft Sharepoint Server
CVE-2025-49712Same product: Microsoft Sharepoint Server
CVE-2026-26114Same product: Microsoft Sharepoint Server
CVE-2026-40368Same product: Microsoft Sharepoint Server
CVE-2025-53770Same product: Microsoft Sharepoint Server
CVE-2026-35439Same product: Microsoft Sharepoint Server
CVE-2026-45659Same product: Microsoft Sharepoint Server
CVE-2026-33110Same product: Microsoft Sharepoint Server
CVE-2026-40357Same product: Microsoft Sharepoint Server
CVE-2025-54897Same product: Microsoft Sharepoint Server

Affected Assets

microsoft
sharepoint server
2016, 2019 · ≤ 16.0.19725.20280

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the root cause by requiring validation/sanitization of untrusted serialized data before deserialization in SharePoint.

preventdetect

Malicious-code detection mechanisms can inspect or sandbox serialized payloads and resulting objects to stop RCE.

SC-18 Mobile Code partial match
prevent

Treats deserialized objects as untrusted mobile code and enforces usage restrictions or execution controls to limit remote code execution.

References