Five days after Microsoft patched CVE-2026-40365, a SharePoint Server remote code execution vulnerability addressed in the May 2026 Patch Tuesday, Pwn2Own Berlin 2026 researchers demonstrated a different, previously unknown RCE chain in SharePoint that has no patch and will not receive one for up to 90 days.
The Pwn2Own finding is not a variant or bypass of CVE-2026-40365 โ it targets a different component of SharePointโs server-side request processing pipeline and uses a distinct vulnerability chain. This means that organisations that applied the May Patch Tuesday update promptly have patched one SharePoint RCE and remain exposed to a second.
Two RCE Paths, One Platform
The coexistence of two independent SharePoint RCE vulnerabilities at roughly the same time is not a coincidence โ it is the statistical outcome of a large, complex application with a significant attack surface attracting increased researcher attention.
SharePoint Server is a natural high-value research target: it is widely deployed in enterprise environments, processes a large volume of untrusted input (user-submitted files, list items, web parts, external data connections), runs with elevated service account privileges, and is frequently accessible from the corporate intranet without WAF protection. The combination of broad deployment, privileged execution, and complex input processing has made SharePoint a recurring Pwn2Own and CVE target over the past decade.
The CVE-2026-40365 chain demonstrated in the Patch Tuesday preview pane context used a file rendering vulnerability to achieve code execution. The Pwn2Own chain targets the server-side pipeline that processes certain types of SharePoint list or web part operations โ a different attack entry point with different preconditions but a similar destination: code execution under the SharePoint service account.
Exposure Assessment
Who is affected: All organisations running on-premises SharePoint Server โ SharePoint 2019, SharePoint Server Subscription Edition โ that have not restricted access to trusted users only. SharePoint Online (Microsoft 365) is reported to be unaffected; Microsoftโs cloud service applies security updates independently and quickly.
Preconditions: The specific preconditions for the Pwn2Own chain have not been disclosed (90-day hold), but Pwn2Own SharePoint exploits historically require either network access to the SharePoint site or the ability to submit content to a site (i.e., a user account with basic SharePoint access).
Risk level: High. SharePoint RCE chains in the past (CVE-2019-0604, others) were exploited by nation-state actors within days of technical details becoming available. The May Patch Tuesday context means many organisationsโ attention and patching capacity was directed at CVE-2026-40365; the Pwn2Own finding lands in that period.
Recommended Actions
Immediate (this week):
- Confirm that the May Patch Tuesday update (which patches CVE-2026-40365) has been applied to all SharePoint Servers โ this is not a substitute for the forthcoming Pwn2Own patch, but eliminates the parallel known-CVE exposure
- Restrict SharePoint access to authenticated internal users only โ remove any externally-facing anonymous or forms-based authentication access
- Place SharePoint behind a WAF with Microsoft-specific rule sets if not already done; the WAF will not block an authenticated internal user exploiting the chain, but limits external attack surface
When Broadcom/Microsoft releases the patch (within 90 days): Apply within 24 hours. This will be a high-priority SharePoint security update; pre-stage the patch in your deployment infrastructure so it can be applied at short notice.
Share this article