External risk intelligence

SharePoint Remote Code Execution via Untrusted Data Deserialization

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-50522

Microsoft SharePoint is commonly deployed as an internet-facing web application, portal, or collaborative gateway. Given its role as a network-accessible service designed for broad organizational access, it is frequently exposed to the public internet in real-world environments.

Deserialization

Microsoft Sharepoint Server

before 16.0.19725.2043420162019

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Microsoft Office SharePoint, specifically related to the deserialization of untrusted data. This could allow an unauthorized attacker to remotely execute code on affected systems, potentially leading to significant compromise. The main concern is confirming relevance and exposure within your environment.

  • Unsafe data handling in SharePoint enables remote code execution.
  • Critical flaw may impact many widely deployed systems.
  • Verify exposure and assess potential business impact.

Attack Path

How an attacker could exploit the issue

An attacker could exploit a deserialization vulnerability in Microsoft Office SharePoint by sending specially crafted data over a network. This exposure allows an unauthorized attacker to execute arbitrary code remotely, potentially leading to a complete compromise of the affected system.

  • No special access needed.
  • Triggered by deserializing untrusted data.
  • Risk of remote code execution.

Live Threat

Current exploitation, exposure, and threat context

An unauthorized attacker could execute code over a network by deserializing untrusted data within Microsoft Office SharePoint, when supported by the advisory. This could potentially impact the integrity and availability of the affected system.

  • System data and service behavior.
  • Network deserialization of untrusted data.
  • Arbitrary code execution on the server.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Microsoft Office SharePoint, allowing network-based code execution, primarily impacts organizations utilizing SharePoint for internal or external collaboration and document management. The first practical step is for infrastructure and platform teams to identify all SharePoint deployments, assess their internet reachability and business criticality, and then engage the designated application or SharePoint administrators to confirm ownership and plan remediation based on risk.

  • Platform and infrastructure teams own the issue.
  • Verify SharePoint's external reachability and criticality.
  • Plan remediation based on risk and business impact.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Microsoft Office SharePoint?

SharePoint is a comprehensive collaboration and document management platform used by organizations to host internal portals, share files, and facilitate team workflows. It functions as a server-side web application, processing requests and managing content across a network, which makes its secure handling of incoming data vital to protecting organizational assets.

What is the vulnerability in CVE-2026-50522?

This CVE involves a flaw known as Deserialization of Untrusted Data, classified as CWE-502. In plain terms, the software incorrectly processes complex data structures received from outside sources. Instead of safely inspecting this data, the system inadvertently treats malicious input as legitimate instructions, which can allow an attacker to execute unauthorized code on the server.

How is this SharePoint vulnerability triggered?

An attacker triggers this flaw by sending specially crafted data across the network to the SharePoint server. The vulnerability occurs when the application attempts to deserialize, or reconstruct, this untrusted data. It is important to note that this does not require any specific user interaction or privileged access; the server processes the harmful input automatically upon receipt.

Is my SharePoint instance at high risk?

Halo Surface Signal indicates this risk is elevated because SharePoint is frequently deployed as an internet-facing portal or collaborative gateway. If your instance is accessible from the public internet, it faces a broader threat surface. You should prioritize assessing any SharePoint deployment that is exposed beyond your local internal network.

What should I do first to address CVE-2026-50522?

Start by identifying all SharePoint deployments within your environment and mapping their network reachability. Determine which instances are internet-facing versus internal, and assess the business criticality of the data they hold. Coordinate with your SharePoint or application administrators to confirm ownership of these assets and prepare a remediation plan focused on the most exposed systems first.

References