Microsoft_SharePoint A.I CyberSecurity Scoring
Microsoft_SharePoint
Company Information
Website:http://hub.am/1gyqTRp
Employees number:None
Number of followers:0
NAICS:5112
Industry Type:Software Development
Homepage:hub.am
Microsoft_SharePoint Risk Score (AI oriented)
Between 750 and 799
Microsoft_SharePointSoftware Development
Updated:
08/07/2026
08/07/2026
757/1000
Fair
Baa
Microsoft_SharePoint Global Score (TPRM)
xxxx
Microsoft_SharePointSoftware Development
Score locked

Microsoft_SharePointFair
Current Score
757Baa (FAIR)
01000
5 incidents
-4.67 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
757
JUNE 2026
757
MAY 2026
760
Vulnerability
21 May 2026 • Microsoft_SharePoint
Microsoft: Microsoft SharePoint Server Vulnerability Enables Remote Code Execution Attacks
Critical SharePoint Server Vulnerability (CVE-2026-45659) Exposes Organizations to Remote Code Execution
756
CRITICAL-4
MIC1779805440
Critical SharePoint Server Vulnerability (CVE-2026-45659) Exposes Organizations to Remote Code Execution
On May 21, 2026, Microsoft disclosed a critical security flaw in SharePoint Server (CVE-2026-45659) that allows authenticated attackers to execute arbitrary code remotely. The vulnerability affects multiple on-premises SharePoint versions, posing a significant risk to organizations using the platform for collaboration and document management.
The flaw stems from improper deserialization of untrusted data in Microsoft Office SharePoint, enabling network-based attackers to exploit it with low complexity. Notably, any authenticated user with Site Member-level permissions without requiring administrative access can trigger the vulnerability. Microsoft rated the flaw as Important severity, assessing exploitation as "Less Likely" but warning that its low barrier to entry makes it a serious threat.
Affected versions include:
- SharePoint Server Subscription Edition (KB 5002863, build 16.0.19725.20280)
- SharePoint Server 2019 (KB 5002870, build 16.0.10417.20128)
- SharePoint Enterprise Server 2016 (KB 5002868, build 16.0.5552.1002)
Microsoft has released patches for all impacted versions. While no active exploitation has been reported, the vulnerability’s network-accessible attack surface and low complexity increase the risk of future exploitation once proof-of-concept code emerges. Organizations are advised to apply updates immediately, audit user permissions, monitor logs for suspicious activity, and isolate internet-facing instances until patches are deployed.
INCIDENT DETAILS -
TYPE
IMPACT
REFERENCES
APRIL 2026
765
Vulnerability
14 Apr 2026 • Microsoft_SharePoint
Microsoft: Cyber Security News ®’s Post
Microsoft SharePoint Zero-Day Vulnerability (CVE-2026-32201) Under Active Exploitation
760
CRITICAL-5
MIC1776227043
Microsoft SharePoint Zero-Day Vulnerability (CVE-2026-32201) Under Active Exploitation
On April 14, 2026, Microsoft confirmed the active exploitation of a critical zero-day spoofing vulnerability in SharePoint Server, addressed in its monthly security update. Tracked as CVE-2026-32201, the flaw affects multiple SharePoint Server versions and carries a CVSS base score of 6.5 (Important), with a temporal score of 6.0 following the release of an official patch.
The vulnerability stems from improper input validation (CWE-20) in Microsoft Office SharePoint, enabling unauthenticated remote attackers to conduct spoofing attacks over a network. Independent researcher Ronald Lovelace (Cloudy_Day) highlighted systemic issues in Microsoft’s content delivery network (CDN) architecture, linking the flaw to unmitigated misconfigurations first reported in July 2024. Despite CERT’s engagement with Microsoft in January 2025, proof-of-concept files were removed from the Microsoft Security Response Center (MSRC) but remained accessible via obscure portal routes, suggesting concealment rather than resolution.
Lovelace’s findings indicate broader risks, including GitHub OAuth flow misconfigurations that expose admin panels, configurations, and unpublished content due to misrouted fallback behavior in Microsoft’s CDN layers. Variations in headers or query parameters can bypass existing protections, posing national security concerns. The issue reflects a pattern of persistent, unaddressed delivery architecture flaws affecting multiple agencies and third-party services.
Microsoft has not publicly acknowledged the full scope of the CDN-related risks, despite ongoing exploitation. The vulnerability underscores long-standing security gaps in enterprise collaboration platforms.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
MARCH 2026
769
Vulnerability
18 Mar 2026 • Microsoft_SharePoint
Microsoft: Cyber Security News ®’s Post
CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability (CVE-2026-20963)
764
CRITICAL-5
MIC1773908622
CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability
On March 18, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20963, a critical security flaw in Microsoft SharePoint, to its Known Exploited Vulnerabilities (KEV) catalog. The inclusion confirms that threat actors are actively exploiting the vulnerability in real-world attacks, posing a significant risk to organizations using the collaboration platform.
The flaw stems from improper deserialization of untrusted data in SharePoint, allowing attackers to execute arbitrary code or gain unauthorized access. While details on the specific attack vectors remain limited, the urgency of the KEV listing underscores the need for immediate patching or mitigation.
Microsoft has not yet disclosed the full scope of affected versions, but network administrators are advised to monitor updates and apply security fixes as they become available. The vulnerability highlights ongoing risks in widely used enterprise software, particularly in platforms handling sensitive data.
INCIDENT DETAILS -
TYPE
IMPACT
REFERENCES
FEBRUARY 2026
769
JANUARY 2026
769
DECEMBER 2025
769
NOVEMBER 2025
768
OCTOBER 2025
768
SEPTEMBER 2025
768
AUGUST 2025
768
MAY 2025
769
Vulnerability
01 May 2025 • Microsoft_SharePoint
Microsoft: PoC and Technical Details Released for SharePoint Remote Code Execution Vulnerability
Critical SharePoint RCE Vulnerability (CVE-2025-53770) Exploited in the Wild
767
CRITICAL-2
MIC1783520623
Critical SharePoint RCE Vulnerability (CVE-2025-53770) Exploited in the Wild
Proof-of-concept (PoC) exploit code and technical details have been released for CVE-2025-53770, a critical remote code execution (RCE) vulnerability in on-premises Microsoft SharePoint Server. The flaw, a deserialization-of-untrusted-data issue, allows unauthenticated attackers to execute arbitrary code over the network by exploiting how SharePoint processes specially crafted data sources.
The vulnerability affects SharePoint Server 2016, 2019, and Subscription Edition, but Microsoft 365 SharePoint Online remains unaffected. Microsoft initially released emergency patches, followed by a second fix introducing the TypeNameParserImpl component to address generic type handling in DataSet objects.
Researchers at Viettel Cyber Security demonstrated how attackers can bypass security controls by abusing XML schema processing in the ExcelDataSet control used by PerformancePoint BI services. The attack targets the BIMonitoringAuthoringService web service at the endpoint `/_vti_bin/PPS/PPSAuthoringService.asmx`, specifically the TestConnection method. By embedding malicious `<xs:import>` and `<xs:include>` elements in an external XSD file, attackers force SharePoint to load unsafe types from an attacker-controlled server, evading XmlValidator checks.
The PoC exploits a chain of deserialization gadgets including System.Web.UI.LosFormatter and System.Windows.Data.ObjectDataProvider to achieve RCE. The attack requires only a low-privileged SharePoint site member account and involves crafting a SOAP request to the vulnerable endpoint with a malicious ExcelDataSet payload. Successful exploitation spawns arbitrary processes, such as win32calc.exe, on the target server.
Security vendors have confirmed active exploitation in the wild, with reports of large-scale ToolShell attack campaigns targeting unpatched SharePoint environments. The release of detailed exploit techniques is expected to accelerate copycat attacks, increasing the urgency for organizations to apply Microsoft’s latest patches. Additional mitigations include enabling AMSI integration, rotating ASP.NET MachineKey values, and monitoring for suspicious PerformancePoint and ViewState activity.
INCIDENT DETAILS -
TYPE
IMPACT
REFERENCES
JUNE 2012
769
Vulnerability
16 Jun 2012 • Microsoft_SharePoint
Microsoft: Disrupting active exploitation of on-premises SharePoint vulnerabilities
Critical SharePoint Vulnerabilities Exploited by Chinese Threat Actors, Leading to Ransomware Attacks
767
CRITICAL-2
MIC1768636894
Critical SharePoint Vulnerabilities Exploited by Chinese Threat Actors, Leading to Ransomware Attacks
On July 19, 2025, Microsoft disclosed active exploitation of two critical vulnerabilities in on-premises SharePoint servers CVE-2025-49706 (spoofing) and CVE-2025-49704 (remote code execution) which do not affect SharePoint Online. The company released security updates for SharePoint Server 2016, 2019, and Subscription Edition to patch these flaws, along with two additional vulnerabilities (CVE-2025-53770 and CVE-2025-53771), which address related security bypasses.
### Threat Actors & Exploitation
Microsoft has observed three Chinese threat groups exploiting these vulnerabilities:
- Linen Typhoon (active since 2012, targeting government, defense, and human rights organizations).
- Violet Typhoon (active since 2015, focusing on espionage against former military personnel, NGOs, and media).
- Storm-2603 (a China-based actor deploying Warlock ransomware since July 18, 2025).
Exploitation begins with a POST request to the ToolPane endpoint, allowing attackers to bypass authentication and execute remote code. Successful breaches lead to web shell deployment (e.g., spinstall0.aspx), MachineKey theft, and lateral movement using tools like Mimikatz, PsExec, and Impacket.
### Storm-2603’s Ransomware Attack Chain
1. Initial Access: Exploits SharePoint vulnerabilities to deploy spinstall0.aspx web shells.
2. Discovery: Runs whoami and other commands to enumerate privileges.
3. Persistence: Creates scheduled tasks and manipulates IIS components to load malicious .NET assemblies.
4. Credential Theft: Uses Mimikatz to extract credentials from LSASS memory.
5. Lateral Movement: Leverages PsExec, WMI, and Impacket to spread across networks.
6. Ransomware Deployment: Modifies Group Policy Objects (GPOs) to distribute Warlock ransomware.
### Mitigation & Detection
Microsoft urges organizations to:
- Apply the latest SharePoint security updates immediately.
- Enable Antimalware Scan Interface (AMSI) in Full Mode and deploy Microsoft Defender Antivirus.
- Rotate SharePoint ASP.NET machine keys and restart IIS after patching.
- Monitor for IOCs, including:
- Web shells (spinstall0.aspx, spinstall1.aspx).
- Malicious files (IIS_Server_dll.dll, SharpHostInfo.x64.exe).
- C2 domains (update[.]updatemicfosoft[.]com, msupdate[.]updatemicfosoft[.]com).
- IP addresses (65.38.121[.]198, 131.226.2[.]6).
### Microsoft Defender Protections
Microsoft Defender XDR detects and blocks:
- Exploitation attempts (Exploit:Script/SuspSignoutReq.A).
- Web shell activity (Trojan:PowerShell/MachineKeyFinder.DA!amsi).
- Ransomware behavior (Ransomware-linked threat actor detected).
Organizations using Microsoft Defender Vulnerability Management or External Attack Surface Management (EASM) can identify exposed SharePoint instances and track remediation efforts.
Exploitation activity is expected to increase rapidly, with additional threat actors likely adopting these vulnerabilities. Immediate patching and monitoring are critical to preventing compromise.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Microsoft_SharePoint ??
What was Microsoft_SharePoint's A.I Rankiteo Cyber Score in June 2026 ??
What was Microsoft_SharePoint's A.I Rankiteo Cyber Score in May 2026 ??
What was Microsoft_SharePoint's A.I Rankiteo Cyber Score in April 2026 ??
What was Microsoft_SharePoint's A.I Rankiteo Cyber Score in March 2026 ??
What was Microsoft_SharePoint's A.I Rankiteo Cyber Score in February 2026 ??
What was Microsoft_SharePoint's A.I Rankiteo Cyber Score in January 2026 ??
What was Microsoft_SharePoint's A.I Rankiteo Cyber Score in December 2025 ??
What was Microsoft_SharePoint's A.I Rankiteo Cyber Score in November 2025 ??
What was Microsoft_SharePoint's A.I Rankiteo Cyber Score in October 2025 ??
What was Microsoft_SharePoint's A.I Rankiteo Cyber Score in September 2025 ??
What was Microsoft_SharePoint's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Microsoft_SharePoint's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Microsoft_SharePoint ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Microsoft_SharePoint's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?