📄 Description (English)
Insufficient granularity of access control in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
🤖 AI Executive Summary
CVE-2026-40365 is a high-severity vulnerability in Microsoft SharePoint Server affecting versions 2016, 2019, and subscription editions. The vulnerability allows authorized attackers to execute arbitrary code over the network due to insufficient access control granularity. With a CVSS score of 8.8 and no patch currently available, this poses an immediate risk to organizations relying on SharePoint for document management and collaboration.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 18, 2026 20:36
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi government entities, ARAMCO, banking sector (SAMA-regulated institutions), and large enterprises using SharePoint for sensitive document management. Government agencies managing classified information, financial institutions storing customer data, and energy sector organizations are particularly vulnerable. The ability for authorized users to escalate privileges and execute code threatens data confidentiality, integrity, and availability across critical sectors. Saudi organizations with hybrid or cloud-based SharePoint deployments face elevated risk due to network accessibility.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Energy and Utilities (ARAMCO)
Healthcare
Telecommunications (STC, Mobily)
Large Enterprises
Education
Insurance
🎯 MITRE ATT&CK Techniques
T1548 - Abuse Elevation Control Mechanism
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1059 - Command and Scripting Interpreter
T1059.001 - PowerShell
T1190 - Exploit Public-Facing Application
T1078 - Valid Accounts
T1078.002 - Valid Accounts: Domain Accounts
T1133 - External Remote Services
T1021 - Remote Services
T1021.002 - Remote Services: SSH
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all SharePoint Server deployments (2016, 2019, subscription editions) across your organization
2. Restrict network access to SharePoint servers using firewall rules and network segmentation
3. Implement strict access control lists (ACLs) limiting user permissions to minimum required roles
4. Enable SharePoint audit logging and monitor for suspicious code execution attempts
5. Review and revoke unnecessary site collection administrator and farm administrator privileges
COMPENSATING CONTROLS (until patch available):
6. Implement Web Application Firewall (WAF) rules to detect and block suspicious SharePoint API calls
7. Deploy endpoint detection and response (EDR) solutions on SharePoint servers
8. Enable multi-factor authentication (MFA) for all SharePoint administrative accounts
9. Isolate SharePoint servers on dedicated network segments with strict egress filtering
10. Implement code execution monitoring and disable unnecessary scripting capabilities
DETECTION RULES:
11. Monitor SharePoint logs for unauthorized privilege escalation events
12. Alert on unexpected PowerShell or command execution from SharePoint processes
13. Track modifications to SharePoint permission inheritance and role assignments
14. Monitor for unusual network connections from SharePoint servers
PATCHING STRATEGY:
15. Subscribe to Microsoft security advisories for patch availability
16. Prepare patch testing environment immediately upon patch release
17. Establish expedited patching timeline (within 72 hours of patch availability)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع نشرات خادم SharePoint (2016 و2019 والإصدارات المشتركة) في جميع أنحاء المنظمة
2. قيد الوصول إلى الشبكة لخوادم SharePoint باستخدام قواعد جدار الحماية وتقسيم الشبكة
3. طبق قوائم التحكم في الوصول (ACLs) الصارمة لتحديد أذونات المستخدمين بالحد الأدنى المطلوب
4. فعّل تسجيل تدقيق SharePoint ومراقبة محاولات تنفيذ الأكواد المريبة
5. راجع وألغِ امتيازات مسؤولي مجموعة المواقع والمزرعة غير الضرورية
الضوابط التعويضية (حتى توفر التصحيح):
6. طبق قواعد جدار تطبيقات الويب (WAF) للكشف عن استدعاءات SharePoint API المريبة وحجبها
7. نشّر حلول الكشف والاستجابة على نقطة النهاية (EDR) على خوادم SharePoint
8. فعّل المصادقة متعددة العوامل (MFA) لجميع حسابات إدارة SharePoint
9. عزل خوادم SharePoint على شرائح شبكة مخصصة مع تصفية الخروج الصارمة
10. طبق مراقبة تنفيذ الأكواد وعطّل قدرات البرمجة النصية غير الضرورية
قواعد الكشف:
11. راقب سجلات SharePoint لأحداث تصعيد الامتيازات غير المصرح بها
12. أصدر تنبيهات عند تنفيذ PowerShell أو الأوامر غير المتوقعة من عمليات SharePoint
13. تتبع التعديلات على وراثة أذونات SharePoint وتعيينات الأدوار
14. راقب الاتصالات الشبكية غير العادية من خوادم SharePoint
استراتيجية التصحيح:
15. اشترك في استشارات أمان Microsoft لتوفر التصحيحات
16. جهز بيئة اختبار التصحيح فوراً عند توفر التصحيح
17. ضع جدول زمني معجل للتصحيح (خلال 72 ساعة من توفر التصحيح)
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy
ECC 2024 A.5.2.1 - User Registration and De-registration
ECC 2024 A.5.3.1 - Access Rights Review
ECC 2024 A.6.1.1 - Information Security Roles and Responsibilities
ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software, Hardware and Services Inventory
SAMA CSF PR.AC-1 - Access Control Policy and Procedures
SAMA CSF PR.AC-4 - Access Rights and Privileges
SAMA CSF DE.CM-8 - Vulnerability Scans
SAMA CSF RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of Duties
ISO 27001:2022 A.6.2 - User Access Management
ISO 27001:2022 A.8.1 - User Endpoint Devices
ISO 27001:2022 A.12.6 - Management of Technical Vulnerabilities
ISO 27001:2022 A.14.2 - Development and Change Management
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Establish Configuration Standards
PCI DSS 6.2 - Ensure Security Patches are Installed
PCI DSS 7.1 - Limit Access to System Components
PCI DSS 10.2 - Implement Automated Audit Trails
📦 Affected Products / CPE 3 entries
microsoft:sharepoint_server
microsoft:sharepoint_server:2016
microsoft:sharepoint_server:2019