SharePoint RCE PoC Details Raise New Risk for On-Premises Servers


New technical details and proof-of-concept research have increased concern around a Microsoft SharePoint Server remote code execution issue affecting on-premises deployments.

The latest research from Viettel Cyber Security focuses on CVE-2026-33112, an authenticated SharePoint remote code execution vulnerability. The NVD entry for CVE-2026-33112 describes it as a deserialization of untrusted data flaw that allows an authorized attacker to execute code over a network.

The issue is closely related to the broader ToolShell discussion because it follows earlier SharePoint deserialization research and Microsoftโ€™s efforts to harden DataSet handling after CVE-2025-53770, the critical unauthenticated RCE flaw exploited in 2025.

What changed with the new SharePoint PoC

The newer Viettel analysis shows how SharePointโ€™s XML schema handling can create a path around validation logic in certain PerformancePoint workflows.

At a high level, the attack abuses the way SharePoint processes imported XML schema data during deserialization. Instead of placing every dangerous type definition directly in the main request, the technique relies on externally referenced schema content that the validation layer may not fully inspect.

That matters because SharePoint deserialization bugs can move from data parsing to server-side code execution when unsafe object types reach sensitive .NET code paths.

ItemDetails
Tracked vulnerabilityCVE-2026-33112
Vulnerability classDeserialization of untrusted data
Product areaMicrosoft Office SharePoint and on-premises SharePoint Server environments
Access requirementAuthorized attacker with low privileges
Main riskRemote code execution over a network
Defender focusPatch status, PerformancePoint activity, outbound schema fetches, and unusual server-side process behavior

CVE-2026-33112 is not the same as CVE-2025-53770

The NVD record gives CVE-2026-33112 a CVSS 3.1 score of 8.8 and lists the attack as network-based with low privileges required and no user interaction.

Microsoft also listed CVE-2026-33112 in its May 12, 2026 SharePoint Server 2019 security update, where the Microsoft Support update page includes it among multiple SharePoint and Office-related security advisories resolved by the release.

CVE-2025-53770 is more severe in a different way. Microsoftโ€™s Microsoft Security Blog said the 2025 ToolShell exploitation affected on-premises SharePoint servers and did not affect SharePoint Online in Microsoft 365.

Why defenders should still treat this as urgent

Even though CVE-2026-33112 requires authorization, the practical risk remains serious. Many enterprise SharePoint environments contain broad site membership, legacy permissions, exposed internal services, and complex integrations that can make low-privilege access easier to obtain than defenders expect.

The release of detailed research also changes the risk window. Once a bypass pattern becomes public, attackers can study the technique, adapt it to local environments, and combine it with stolen credentials or existing footholds.

The broader ToolShell incident showed how quickly SharePoint flaws can move from research to real-world compromise. Eye Security reported large-scale exploitation of the earlier ToolShell chain in July 2025, while Microsoft later described activity involving Chinese state-linked actors and a China-based actor tied to ransomware deployment.

What the PoC demonstrates at a high level

The public analysis describes a route through SharePoint PerformancePoint functionality, where a data source validation flow can trigger unsafe deserialization behavior.

The exploit concept depends on XML schema processing, imported schema references, and a crafted data structure that causes SharePoint to deserialize attacker-influenced content. This article does not reproduce the exploit sequence, request format, or payload details.

For defenders, the important lesson is simpler: SharePoint servers should not fetch unexpected schema content from unfamiliar external hosts, and PerformancePoint-related service activity deserves closer review on exposed or high-value farms.

  • Review SharePoint servers for missing May 2026 and later security updates.
  • Audit low-privilege site membership and remove unnecessary access.
  • Monitor outbound HTTP and HTTPS traffic from SharePoint servers.
  • Investigate unusual PerformancePoint data source validation activity.
  • Watch for unexpected child processes from IIS worker processes.
  • Harden internet exposure around SharePoint where business needs allow it.

Patch and mitigation guidance

Organizations should confirm that SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition deployments have received the relevant security updates. The May 2026 KB5002870 page is one official reference point for SharePoint Server 2019 administrators.

Teams that also responded to ToolShell should not stop at patching. The NVD page for CVE-2025-53770 confirms that Microsoft knew of exploitation in the wild, and that kind of exposure can leave behind web shells, stolen keys, persistence, and lateral movement even after updates are installed.

Incident responders should review IIS logs, SharePoint ULS logs, Windows event logs, endpoint telemetry, unusual ASP.NET files, MachineKey exposure, and any process execution chained from SharePoint application pools. Eye Securityโ€™s incident report shows why compromise assessment matters after SharePoint RCE activity.

Bottom line for SharePoint admins

The new PoC details do not mean every SharePoint server is automatically compromised, but they do make unpatched and poorly monitored on-premises environments more attractive targets.

Admins should treat CVE-2026-33112 as part of a continuing SharePoint deserialization risk pattern, not as an isolated bug. Attackers now have more public research to study, and defenders need tighter controls around patching, permissions, outbound traffic, and server-side execution.

For organizations that still expose on-premises SharePoint, the safest approach is to patch quickly, reduce unnecessary access, monitor for abnormal PerformancePoint behavior, and assume that older ToolShell activity may have left behind persistence that requires separate cleanup.

FAQ

What is CVE-2026-33112 in SharePoint?

CVE-2026-33112 is a Microsoft SharePoint remote code execution vulnerability caused by deserialization of untrusted data. It requires an authorized attacker, but it can allow code execution over a network.

Is CVE-2026-33112 the same as CVE-2025-53770?

No. CVE-2025-53770 is the earlier critical ToolShell-related SharePoint RCE that Microsoft said was exploited in the wild. CVE-2026-33112 is a newer authenticated SharePoint deserialization RCE tied to later patch-bypass research.

Does CVE-2026-33112 affect SharePoint Online?

The public discussion around these SharePoint Server deserialization issues focuses on on-premises SharePoint deployments. Microsoft previously said SharePoint Online in Microsoft 365 was not affected by the 2025 ToolShell vulnerabilities.

What should SharePoint administrators do now?

Administrators should apply the latest SharePoint security updates, review low-privilege access, monitor outbound traffic from SharePoint servers, audit PerformancePoint-related activity, and investigate signs of prior ToolShell compromise.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages