Microsoft SharePoint has a high-severity improper authorization flaw that can let an authenticated attacker execute code over a network. Patch exposed SharePoint systems now.
Microsoft has disclosed CVE-2026-47298, a high-severity remote code execution vulnerability in Microsoft Office SharePoint. The flaw is tracked in the Microsoft Security Update Guide. It carries a CVSS 3.1 base score of 8.0.
Impact is serious. An authorized attacker can execute code over a network. The issue is classified as improper authorization, mapped to CWE-285. That means SharePoint fails to enforce an access-control decision correctly before allowing a sensitive action.
The affected product is Microsoft Office SharePoint. NVD had not yet published detailed CPE or version applicability at the time of its June 9, 2026 record update. Administrators should use the Microsoft advisory to map the CVE to their deployed SharePoint edition and build, then apply the listed security update.
Severity is high. The Microsoft CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The attack is network reachable. Attack complexity is low. The attacker needs low privileges. User interaction is required. Successful exploitation can affect confidentiality, integrity, and availability.
That combination matters. SharePoint is commonly exposed to internal users, partners, and remote access paths. Even when not internet-facing, it often stores sensitive documents, workflow data, project records, and identity-linked collaboration content. A code execution flaw in that tier can become a pivot point.
The authorization weakness is the core risk. Authorization checks decide whether a user can perform an action after authentication has already established identity. When those checks are incomplete, inconsistent, or bypassable, a legitimate account can reach functions it should not reach. In SharePoint, that can be dangerous because authenticated users often have broad read access, upload ability, workflow access, or access to shared sites.
This is not an anonymous pre-authentication issue based on the published vector. The attacker needs privileges. That lowers exposure, but it does not make the vulnerability low risk. Stolen credentials, compromised contractor accounts, weakly governed guest access, and over-permissioned internal accounts are common entry points in SharePoint environments.
User interaction is also required. Defenders should not read that as a major shield. SharePoint attacks frequently involve document handling, links, workflow actions, or collaboration features where user activity is normal. If exploitation can be triggered through a crafted file, page, workflow, or request path requiring a user action, attackers can blend the lure into routine business traffic.
Mitigation is direct. Install the Microsoft security update for affected SharePoint systems. Prioritize internet-facing SharePoint servers, extranet deployments, high-value collaboration farms, and environments with broad external sharing. Confirm the update on every SharePoint server in the farm. One unpatched server can remain a viable target.
Administrators should also verify build levels after patching. Do not rely only on update deployment status. Check SharePoint product build numbers, Windows update history, and farm health. Confirm that all web front ends, application servers, and search-related components are updated consistently.
Restrict exposure while patching. Limit SharePoint access to trusted networks where possible. Review reverse proxy, VPN, and identity provider rules. Remove unnecessary anonymous access. Disable stale external sharing links. Review guest users and service accounts with low privileges that still have broad site reach.
Monitor for suspicious activity. Look for unusual authenticated requests to SharePoint endpoints, unexpected file writes, new web artifacts, abnormal workflow activity, suspicious child processes, and authentication from unusual locations. Code execution in SharePoint often leaves traces in IIS logs, Windows event logs, SharePoint ULS logs, and endpoint detection telemetry.
Timeline is short. Microsoft assigned and published the CVE through its CNA process. NVD received the record on June 9, 2026, and last modified it the same day. As of that record, NVD marked the CVE as undergoing enrichment, meaning NIST had not yet completed its own CVSS, CWE, and product applicability analysis.
Defenders should not wait for enrichment. Microsoft has already supplied the CNA score and vector. The available data is enough to drive action: high severity, network attack vector, low complexity, low privileges required, and full impact across confidentiality, integrity, and availability.
The fix is the patch. Apply the SharePoint security update listed by Microsoft. Validate deployment. Reduce access until patching is complete. Investigate suspicious SharePoint activity before and after remediation.
Comments
Please log in or register to join the discussion