Microsoft Patches SharePoint RCE Flaw Enabling RCE Attacks
Microsoft SharePoint Remote Code Execution Vulnerability CVE-2026-45659 Patches Rolled out
Continue ReadingSharepoint
Microsoft April 2026 Patch Tuesday- Fixes 165 Flaws including 2 Zero-Days
Summary: Microsoft released its April 2026 Patch Tuesday addressing 165 security vulnerabilities across Windows, Office, SharePoint, Microsoft Defender, .NET Framework, Azure, SQL Server and other components.
The April release brings in relevant update and significant accessibility improvements, display and hardware enhancements, and several quality-of-life additions across Settings and File Explorer.
The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server.The issue stems from an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.
Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2026-04-14 |
| No. of Vulnerability | 165 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
This is the second-largest Patch Tuesday release in Microsoft’s history. The update includes two zero-day vulnerabilities one actively exploited in the wild (SharePoint spoofing) and one publicly disclosed (Microsoft Defender privilege escalation linked to the BlueHammer exploit).
Here are the CVE addresses for Microsoft April 2026:
- 165 Microsoft CVEs
- 82 Non Microsoft CVEs
Breakdown of April 2026 Vulnerabilities
- 93 Elevation of Privilege (EoP)
- 20 Remote Code Execution
- 21 Information Disclosure
- 10 Denial of Service (DoS)
- 9 Spoofing
- 13 Security Feature Bypass
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Internet Key Exchange (IKE) Service Extensions RCE | CVE-2026-33824 | Windows IKE Service | Critical | 9.8 |
| Windows TCP/IP Remote Code Execution (Wormable via IPv6) | CVE-2026-33827 | Windows TCP/IP Stack | Critical | 9.8 |
| Windows Active DirectoryRemote Code Execution | CVE-2026-33826 | Windows Active Directory | Critical | 9.1 |
| Remote Desktop Client Remote Code Execution | CVE-2026-32157 | Remote Desktop Client | High | 8.8 |
| Microsoft Office Remote Code Execution (Preview Pane) | CVE-2026-32190 | Microsoft Office | High | 8.4 |
| Microsoft Word Remote Code Execution (Preview Pane) | CVE-2026-33114 | Microsoft Word | High | 8.4 |
| Microsoft Word Remote Code Execution (Preview Pane) | CVE-2026-33115 | Microsoft Word | High | 8.4 |
Technical Summary
This month’s Patch Tuesday is largely driven by Elevation of Privilege vulnerabilities, which make up a significant portion of the fixes and can be leveraged by attackers after initial access to escalate privileges and move laterally.
The release also includes several critical remote code execution issues in core Windows components. Notably, vulnerabilities such as those affecting the Windows IKE service and TCP/IP stack demonstrate the risk of unauthenticated or low-interaction exploitation, particularly in network-exposed scenarios. Other issues in Office, Word, and Remote Desktop highlight continued risk from user-driven attack vectors such as malicious documents and crafted connection files.
The update also addresses zero-day vulnerabilities, including one actively exploited and another publicly disclosed prior to patching, increasing the urgency for remediation.
Key vulnerabilities in this cycle show a mix of attack paths from preview pane-based document exploitation to wormable network flaws and Active Directory-based code execution through authenticated access.
This combination of network-level and user-interaction-based risks, along with the volume of privilege escalation issues, makes this a high-priority update cycle. Organizations should prioritize testing and deployment to reduce exposure across both endpoint and infrastructure layers.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2026-33824 | Windows IKE Service Extensions | Unauthenticated attacker can send crafted UDP packets to IKEv2-enabled systems (UDP 500/4500), achieving full remote code execution with no prior access required | Remote Code Execution |
| CVE-2026-32190 | Microsoft Office | Exploitation via preview pane allows execution of malicious payload without explicit user interaction beyond viewing file | Remote Code Execution |
| CVE-2026-33114 / 33115 | Microsoft Word | Malicious document processed via preview triggers RCE; commonly used in phishing delivery chains | Remote Code Execution |
| CVE-2026-32157 | Remote Desktop Client | RCE triggered when user connects using a crafted RDP file; attack surface includes lateral movement scenarios | Remote Code Execution |
| CVE-2026-33827 | Windows TCP/IP Stack | Race condition in IPv6/IPsec stack enables unauthenticated wormable RCE across enterprise networks | Remote Code Execution |
| CVE-2026-33826 | Windows Active Directory | Authenticated attacker executes code via crafted RPC calls within domain; high likelihood of privilege chaining | Remote Code Execution |
Key Affected Products and Services
April 2026 updates address vulnerabilities across:
- Windows Core Components
Kernel, TCP/IP stack, Active Directory, IKE Service, BitLocker, NTFS, SMB, and Remote Desktop components are impacted, including critical RCE and privilege escalation vulnerabilities.
- Microsoft Office Suite
Word, Excel, and PowerPoint are affected by multiple remote code execution vulnerabilities, including cases exploitable through the preview pane.
- SharePoint & Collaboration
SharePoint Server (2016, 2019, Subscription Edition) is impacted, including an actively exploited zero-day vulnerability requiring immediate attention.
- Microsoft Defender
A publicly disclosed elevation of privilege vulnerability is addressed through updates to the Antimalware Platform.
- .NET Framework & Developer Tools
.NET and related developer components, including Visual Studio, are affected by denial of service and privilege escalation vulnerabilities.
- Azure & Cloud Services
Azure components such as Logic Apps and monitoring agents include vulnerabilities related to information disclosure and privilege escalation.
- SQL Server
Multiple vulnerabilities affecting SQL Server components, including privilege escalation and remote code execution risks, are addressed.
Remediation:
- Apply April 2026 security updates on all Windows systems as a priority
Here are some recommendations
- Prioritize patching internet-facing and critical services, particularly SharePoint and core Windows components.
- Ensure Microsoft Defender and other security components are updated to the latest platform versions.
- Review network exposure and apply temporary mitigations where patching may be delayed.
- Monitor for suspicious activity, especially related to privilege escalation, remote code execution, and authentication anomalies.
- Validate that systems are aligned with ongoing platform security updates, including Secure Boot-related changes.
Conclusion:
April 2026 Patch Tuesday addresses a significant number of vulnerabilities across Windows and related Microsoft products, including an actively exploited issue, multiple critical remote code execution flaws, and a high volume of privilege escalation vulnerabilities. Given the breadth of affected components and the potential for attack chaining, organizations should prioritize timely testing and deployment of updates, especially for critical and externally exposed systems.
References:
- https://msrc.microsoft.com/update-guide/en-us/releaseNote/2026-Apr
- https://www.tenable.com/blog/microsofts-april-2026-patch-tuesday-addresses-163-cves-cve-2026-32201
- https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/
Microsoft Teams Access Token Vulnerability Allows Attack Vector for Data Exfiltration
Summary: Microsoft Teams Access Token Vulnerability: New Attack Vector for Data Exfiltration
A recently uncovered vulnerability in Microsoft Teams for Windows allows attackers with local access to extract encrypted authentication tokens, granting unauthorized access to chats, emails and SharePoint files.
This technique, detailed by researcher Brahim El Fikhi on October 23, 2025, leverages the Windows Data Protection API (DPAPI) to decrypt tokens stored in a Chromium-like Cookies database.
Attackers can use these tokens for impersonation, lateral movement, or social engineering, bypassing recent security enhancements and posing significant risks to enterprise environments.
Vulnerability Details
The vulnerability, identified in Microsoft Teams desktop applications, involves the extraction of encrypted access tokens stored in the SQLite Cookies database at %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Cookies. Unlike earlier versions that stored tokens in plaintext (a flaw exposed by Vectra AI in 2022), current versions use AES-256-GCM encryption protected by DPAPI, tied to user or machine credentials. However, attackers with local access can decrypt these tokens using tools like ProcMon and Mimikatz, exploiting the embedded msedgewebview2.exe process that handles authentication via login.microsoftonline.com.
Source: blog.randorisec.fr, cybersecuritynews
Attack Flow
| Step | Description |
| Craft | Attackers use ProcMon to monitor msedgewebview2.exe and identify the Cookies database write operations. |
| Access | The ms-teams.exe process is terminated to unlock the Cookies file, which is locked during operation. |
| Extract | The encrypted token is retrieved from the Cookies database, with fields like host_key (e.g., teams.microsoft.com), name, and encrypted_value (prefixed with “v10”). |
| Decrypt | The DPAPI-protected master key is extracted from %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Local State and decrypted using Windows APIs or tools like Mimikatz. |
| Exploit | Decrypted tokens are used with tools like GraphSpy to access Teams chats, send messages, read emails, or interact with SharePoint via Microsoft Graph API |
Why It’s Effective
- Local Access Exploitation: The attack requires only local access, achievable via malware or compromised endpoints, bypassing MFA and remote defenses.
- Stealthy Execution: The use of standard Windows APIs (DPAPI) and embedded browser processes evades traditional monitoring.
- Authority Abuse: Tokens enable impersonation through trusted APIs, amplifying risks of phishing or data theft via Teams, Outlook, or SharePoint.
Recommendations:
- Monitor Processes – Deploy EDR rules to detect abnormal ms-teams.exe terminations or msedgewebview2.exe file writes.
- Enforce Encryption – Use app-bound encryption and prefer web-based Teams to avoid local token storage.
- Token Rotation – Implement Entra ID policies to rotate access tokens regularly and audit Graph API logs for anomalies.
- Limit Privileges – Restrict local admin access to prevent DPAPI key extraction.
- User Awareness – Train users to recognize phishing attempts via Teams or email, especially those leveraging impersonation
Conclusion:
This vulnerability underscores the evolving threat landscape for collaboration platforms like Microsoft Teams. As attackers refine techniques to exploit trusted systems, organizations must enhance endpoint monitoring and adopt stricter access controls. By implementing the outlined mitigations, security teams can reduce the risk of token-based attacks and safeguard sensitive data.
References:
Kaspersky reveals SharePoint ToolShell vulnerabilities stem from incomplete 2020 fix.
Kaspersky’s Global Research and Analysis Team (GReAT) discovered that the recently exploited ToolShell vulnerabilities in Microsoft SharePoint originate from an incomplete fix for CVE-2020-1147, first reported in 2020.
IntruceptLabs have published the security advisory https://intruceptlabs.com/2025/07/toolshell-zero-day-exploits-in-microsoft-sharepoint-enable-full-remote-takeover/ on 21st July 2025.
The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid active exploitation. Kaspersky Security Network showed exploitation attempts worldwide, including in Egypt, Jordan, Russia, Vietnam and Zambia.
The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors.
Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.
There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.
Share point Vulnerabilities a major cyber threat
The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid
active exploitation. Kaspersky Security Network showed exploitation attempts worldwide,
including in Egypt, Jordan, Russia, Vietnam and Zambia.
The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors. Kaspersky solutions proactively detected and blocked ToolShell attacks before the vulnerabilities were publicly disclosed.
Kaspersky GReAT researchers analyzed the published ToolShell exploit and found it alarmingly similar to the 2020 CVE-2020-1147 exploit.
This suggests that the CVE-2025- 53770 patch is, in fact, an effective fix for the vulnerability that CVE-2020-1147 attempted to address five years ago.
The connection to CVE-2020-1147 became evident following the discovery of CVE-2025- 49704 and CVE-2025-49706, patched on July 8. However, these fixes could be bypassed by adding a single forward slash to the exploit payload.
Once Microsoft learned of active exploitation of these vulnerabilities, they responded with comprehensive patches that addressed potential bypass methods, designating the vulnerabilities as CVE-2025-53770 and CVE-2025-53771.
The surge in attacks against SharePoint servers worldwide occurred during the window between initial exploitation and full patch deployment. Despite patches now being available for the ToolShell vulnerabilities, Kaspersky expects attackers will continue exploiting this chain for years to come.
“Many high-profile vulnerabilities remain actively exploited years after discovery —
ProxyLogon, PrintNightmare and EternalBlue still compromise unpatched systems today.
We expect ToolShell to follow the same pattern: its ease of exploitation means the public exploit
will soon appear in popular penetration testing tools, ensuring prolonged use by attackers,”
said Boris Larin, principal security researcher at Kaspersky GReAT.
Do connect with us for any queries https://intruceptlabs.com/contact/
(Source: Read full report on Read the full report on Securelist.com)
ToolShell Zero-Day Exploits in Microsoft SharePoint Enable Full Remote Takeover
Summary : Security Advisory
Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.
There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.
| OEM | Microsoft |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-53770, CVE-2025-53771 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
These flaws allow unauthenticated remote code execution on on-premises servers, bypassing authentication and gaining full control over affected systems. Microsoft has released urgent security updates for supported SharePoint versions to address this issue.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| SharePoint Server Remote Code | CVE-2025-53770 | SharePoint Server (on-prem) | Critical | 9.8 |
| Execution Vulnerability | CVE-2025-53771 | SharePoint Server (on-prem) | Medium | 6.3 |
Technical Summary
The vulnerabilities CVE-2025-53770 and CVE-2025-53771 stem from insecure handling of cryptographic key material and deserialization logic in on-premises Microsoft SharePoint Servers. These flaws enable a chained remote code execution attack dubbed ToolShell, where an unauthenticated attacker can gain full control of vulnerable servers.
ToolShell is a sophisticated evolution of vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were disclosed and patched in early July 2025 following demonstrations at Pwn2Own Berlin. Within days, attackers had bypassed these initial patches, forcing Microsoft to issue updated patches with new CVEs (53770, 53771). These latest variants are actively exploited in the wild.
The exploit begins with a crafted request to the SharePoint endpoint /ToolPane.aspx, which exposes the internal configuration mechanism. By exploiting deserialization weaknesses, attackers extract cryptographic secrets, specifically the ValidationKey and DecryptionKey which are used to sign the VIEWSTATE payloads.
With these secrets, an attacker can generate malicious, signed payloads that are trusted by SharePoint’s security model, allowing arbitrary code execution without any authentication. This effectively turns SharePoint’s trust mechanism into a delivery vector for persistent compromise.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-53770 | SharePoint 2016, 2019 | Exploits deserialization in /ToolPane.aspx to steal crypto keys and craft signed __VIEWSTATE payloads | Remote Code Execution, full system compromise |
| CVE-2025-53771 | SharePoint 2016, 2019 | Variant of CVE-2025-49706; bypasses earlier fixes using enhanced payload injection techniques | Persistent access without credentials |
Remediation: To mitigate potential attacks customers should follow:
Organizations running on-premises Microsoft SharePoint Servers must take the following steps immediately:
- Apply Security Updates:
- SharePoint Server 2019: KB5002741
- SharePoint Server 2016: KB5002744
- SharePoint Subscription Edition: KB5002768
- Enable AMSI Protection:
- Enable Antimalware Scan Interface (AMSI) in Full Mode for SharePoint.
- AMSI was turned on by default in Sept 2023 updates for 2016/2019.
- Rotate Cryptographic Keys:
- Use Update-SPMachineKey (PowerShell) or Central Admin.
- Restart IIS using iisreset.exe after key rotation.
- Deploy Endpoint Protection:
- Use Microsoft Defender for Endpoint or equivalent XDR tools.
CISA Alert and Advisory Inclusion:
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private-sector partners are required to apply mitigations immediately due to confirmed active exploitation. CISA emphasized that such vulnerabilities pose an unacceptable risk to federal systems and critical infrastructure.
Indicators of Compromise (IOCs):
| Type | Value (Obfuscated/Generalized) | Description |
| IP Address | 107.191.58[.]76, 104.238.159[.]149 | Observed in initial and second attack waves |
| User-Agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 | User-Agent string seen in exploitation requests |
| URL Path | POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx | Exploit entry point targeting ToolPane |
Conclusion:
The ToolShell exploit chain represents a critical security threat to organizations using on-premises SharePoint Servers.
The vulnerabilities are not theoretical, attackers are actively exploiting them to gain full control of systems, exfiltrate cryptographic secrets and establish long-term persistence. With official patches now available, immediate action is required to prevent compromise, contain exposure and ensure ongoing system integrity.
References: