Cyber Resilience

CVE-2026-40357

HighRCE

Published: 12 May 2026

Published
12 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0170 74.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40357 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-40357 is a deserialization of untrusted data vulnerability, tracked under CWE-502, that affects Microsoft Office SharePoint. The flaw carries a CVSS 3.1 base score of 8.8 and permits remote code execution when an attacker supplies crafted serialized data to the affected component.

An authorized user with network access can exploit the issue without user interaction. Successful exploitation grants the attacker the ability to execute arbitrary code, resulting in full compromise of confidentiality, integrity, and availability on the targeted SharePoint server.

Microsoft has published an advisory that includes mitigation guidance at the referenced MSRC update guide URL. The current EPSS score of 0.0195 shows no material increase from its recorded peak.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CWE-502 deserialization RCE in network-accessible SharePoint server directly enables remote code execution via exploitation of a server application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59237Same product: Microsoft Sharepoint Server
CVE-2025-49712Same product: Microsoft Sharepoint Server
CVE-2026-26114Same product: Microsoft Sharepoint Server
CVE-2026-33112Same product: Microsoft Sharepoint Server
CVE-2026-40368Same product: Microsoft Sharepoint Server
CVE-2025-53770Same product: Microsoft Sharepoint Server
CVE-2026-35439Same product: Microsoft Sharepoint Server
CVE-2026-45659Same product: Microsoft Sharepoint Server
CVE-2026-33110Same product: Microsoft Sharepoint Server
CVE-2025-54897Same product: Microsoft Sharepoint Server

Affected Assets

microsoft
sharepoint server
2016, 2019 · ≤ 16.0.19725.20280

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted serialized input before deserialization, blocking the crafted data that triggers RCE in SharePoint.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block the arbitrary code payloads delivered via the deserialization flaw.

prevent

Enforces least privilege on authorized SharePoint accounts so that even successful deserialization-based code execution yields limited system compromise.

References