Microsoft: Public PoC Released for SharePoint Remote Code Execution Vulnerability

Microsoft: Public PoC Released for SharePoint Remote Code Execution Vulnerability

Critical SharePoint RCE Vulnerability (CVE-2026-33112) Exploited via Patch Bypass

Researchers have disclosed a working proof-of-concept (PoC) exploit for CVE-2026-33112, a critical remote code execution (RCE) vulnerability in Microsoft SharePoint that allows low-privilege authenticated users to execute arbitrary code by bypassing the platform’s XmlValidator security control.

The flaw stems from an incomplete fix for CVE-2025-53770, Microsoft’s second attempt to patch a deserialization-based attack chain in SharePoint’s DataSet handling. While the updated TypeNameParserImpl closed earlier bypass methods, attackers can now exploit <xsd:import> and <xsd:include> elements to reference external XSD schemas hosted on attacker-controlled servers. Since these schemas are fetched over the network rather than validated locally the XmlValidator fails to inspect them, allowing malicious type definitions to evade detection.

The PoC, developed by Viettel Security, targets Microsoft.PerformancePoint.Scorecards.WebServer.BIMonitoringAuthoringService, exposed at /_vti_bin/PPS/PPSAuthoringService.asmx. By invoking the TestConnection function with a crafted DataSource object, attackers indirectly trigger ExcelDataSet.get_DataTable(), bypassing SharePoint’s safe control enforcement. Successful exploitation spawns win32calc.exe, confirming RCE on the server.

Exploitation requires minimal access: An attacker needs only site-member-level permissions to:

  1. Log in as a low-privilege user.
  2. Create a SharePoint list and add an item.
  3. Host a malicious XSD schema on an accessible HTTP server.
  4. Submit a crafted request to PPSAuthoringService.asmx, specifying the target item’s path.

The vulnerability is particularly severe due to its low barrier to exploitation no elevated privileges are required and its stealthy attack vector, as the malicious payload is partially offloaded to an external server. This makes detection challenging, as the exploit payload isn’t fully contained within the initial request. The disclosure underscores ongoing challenges in securing SharePoint’s deserialization mechanisms, with multiple known bypass techniques documented in prior research.

Source: https://cyberpress.org/sharepoint-rce-vulnerablility/

Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security-response-center

"id": "mic1783441514",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Technology/Enterprise Software',
                        'location': 'Global',
                        'name': 'Microsoft SharePoint',
                        'type': 'Software/Platform'}],
 'attack_vector': 'Authenticated low-privilege user access via crafted '
                  'DataSource object',
 'description': 'Researchers disclosed a proof-of-concept (PoC) exploit for '
                'CVE-2026-33112, a critical remote code execution (RCE) '
                'vulnerability in Microsoft SharePoint. The flaw allows '
                'low-privilege authenticated users to execute arbitrary code '
                'by bypassing the platform’s XmlValidator security control '
                'through external XSD schemas. The vulnerability stems from an '
                'incomplete fix for CVE-2025-53770 and targets '
                'Microsoft.PerformancePoint.Scorecards.WebServer.BIMonitoringAuthoringService.',
 'impact': {'operational_impact': 'Arbitrary code execution on affected '
                                  'servers',
            'systems_affected': 'Microsoft SharePoint servers'},
 'lessons_learned': 'Ongoing challenges in securing SharePoint’s '
                    'deserialization mechanisms, with multiple known bypass '
                    'techniques documented in prior research.',
 'post_incident_analysis': {'root_causes': 'Incomplete patch for '
                                           'CVE-2025-53770, allowing bypass of '
                                           'XmlValidator via external XSD '
                                           'schemas'},
 'references': [{'source': 'Viettel Security'}],
 'threat_actor': 'Viettel Security (PoC developers)',
 'title': 'Critical SharePoint RCE Vulnerability (CVE-2026-33112) Exploited '
          'via Patch Bypass',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2026-33112 (SharePoint XmlValidator bypass '
                            'via external XSD schemas)'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.