CVE-2026-40368

Saudi government entities, ARAMCO, banking sector (SAMA-regulated institutions), and large enterprises using SharePoint for document management face critical risk. Government ministries and agencies heavily rely on SharePoint for internal collaboration and document storage. Financial institutions using SharePoint for secure document handling are particularly vulnerable. Telecom operators (STC, Mobily) and healthcare organizations managing sensitive data through SharePoint are also at significant risk. The requirement for authorized access limits exposure but insider threats and compromised credentials could enable exploitation.

Government Banking and Financial Services Energy (ARAMCO) Telecommunications Healthcare Education Large Enterprises

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1559 - Inter-Process Communication T1559.001 - Component Object Model T1204 - User Execution T1204.002 - Malicious File T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1569 - System Services T1569.002 - Service Execution T1021 - Remote Services T1021.006 - Windows Remote Management T1021.002 - SSH T1021.003 - Distributed Component Object Model T1021.004 - SSH T1021.005 - VNC T1021.006 - Windows Remote Management T1021.007 - Windows Admin Shares T1021.008 - Rsync T1021.009 - Teamviewer T1021.010 - VNC T1021.011 - Spice T1021.012 - Xrdp T1021.013 - Port Monitors T1021.014 - TFTP T1021.015 - Alternatives T1021.016 - SSH T1021.017 - SSH T1021.018 - SSH T1021.019 - SSH T1021.020 - SSH T1021.021 - SSH T1021.022 - SSH T1021.023 - SSH T1021.024 - SSH T1021.025 - SSH T1021.026 - SSH T1021.027 - SSH T1021.028 - SSH T1021.029 - SSH T1021.030 - SSH T1021.031 - SSH T1021.032 - SSH T1021.033 - SSH T1021.034 - SSH T1021.035 - SSH T1021.036 - SSH T1021.037 - SSH T1021.038 - SSH T1021.039 - SSH T1021.040 - SSH T1021.041 - SSH T1021.042 - SSH T1021.043 - SSH T1021.044 - SSH T1021.045 - SSH T1021.046 - SSH T1021.047 - SSH T1021.048 - SSH T1021.049 - SSH T1021.050 - SSH

🟢 NCA ECC 2024

A.5.1.1 - Information Security Policies and Procedures A.5.2.1 - User Access Management A.5.2.2 - Privileged Access Rights A.5.2.3 - User Access Review A.5.3.1 - Password Management A.5.4.1 - Review of User Access Rights A.5.5.1 - Segregation of Duties A.6.1.1 - Cryptography Policy A.6.2.1 - Event Logging A.6.2.2 - Protection of Log Information A.6.2.3 - Administrator and Operator Logs A.6.2.4 - Clock Synchronization A.6.3.1 - Malware Detection A.6.3.2 - Malware Response Procedures A.6.4.1 - Event Monitoring A.6.4.2 - Protection of Monitoring Tools A.6.5.1 - Installation of Software on Operational Systems A.6.5.2 - Information Systems Hardening A.6.5.3 - Removal of Unnecessary Services A.6.5.4 - Segregation of Information Systems A.6.5.5 - Segregation of Networks A.6.5.6 - Segregation by Means of Firewalls A.6.5.7 - Segregation of Wireless Networks A.6.5.8 - Segregation of Mobile Devices A.6.6.1 - Network Connection Control A.6.6.2 - Network Segregation A.6.7.1 - Boundary Protection A.6.7.2 - Boundary Monitoring A.6.8.1 - Network Address Translation A.6.9.1 - Firewall Policy A.6.9.2 - Firewall Rule Management A.6.10.1 - Intrusion Detection and Prevention A.6.11.1 - Vulnerability Management A.6.11.2 - Vulnerability Scanning A.6.11.3 - Penetration Testing A.6.12.1 - Change Management A.6.12.2 - Change Impact Analysis A.6.12.3 - Change Authorization A.6.12.4 - Change Testing A.6.12.5 - Change Documentation A.6.12.6 - Change Rollback A.6.13.1 - Patch Management A.6.13.2 - Patch Testing A.6.13.3 - Patch Deployment A.6.14.1 - Incident Management A.6.14.2 - Incident Response A.6.14.3 - Incident Investigation A.6.14.4 - Incident Reporting A.6.14.5 - Incident Recovery A.6.15.1 - Business Continuity Planning A.6.15.2 - Business Continuity Testing A.6.15.3 - Business Continuity Maintenance

🔵 SAMA CSF

Governance - Risk Management Framework Governance - Incident Management Governance - Third-party Risk Management Governance - Change Management Governance - Patch Management Protective - Access Control Protective - Privileged Access Management Protective - Cryptography Protective - Data Protection Protective - Endpoint Protection Protective - Network Security Protective - Application Security Protective - Vulnerability Management Protective - Configuration Management Protective - Secure Development Protective - Supply Chain Security Protective - Physical Security Protective - Personnel Security Protective - Security Awareness Protective - Incident Response Protective - Business Continuity Protective - Disaster Recovery Detective - Monitoring and Logging Detective - Threat Intelligence Detective - Vulnerability Assessment Detective - Penetration Testing Detective - Security Testing Detective - Audit and Compliance Responsive - Incident Response Responsive - Forensics Responsive - Recovery Responsive - Communication

🟡 ISO 27001:2022

5.1 - Policies for information security 5.2 - Information security roles and responsibilities 5.3 - Segregation of duties 5.4 - Management responsibilities 5.5 - Contact with authorities 5.6 - Contact with special interest groups 5.7 - Threat intelligence 5.8 - Information security in project management 5.9 - Inventory of information and other assets 5.10 - Acceptable use of information and other assets 5.11 - Return of assets 5.12 - Classification of information 5.13 - Labelling of information 5.14 - Information transfer 5.15 - Access control 5.16 - Identity management 5.17 - Authentication information 5.18 - Access rights 5.19 - Information security in supplier relationships 5.20 - Addressing information security within supplier agreements 5.21 - Managing information security in the ICT supply chain 5.22 - Monitoring, review and change management of supplier services 5.23 - Information security for use of cloud services 6.1 - Screening 6.2 - Terms and conditions of employment 6.3 - Information security awareness, education and training 6.4 - Disciplinary process 6.5 - Responsibilities after termination or change of employment 6.6 - Confidentiality or non-disclosure agreements 6.7 - Remote working 6.8 - Information security event reporting 7.1 - Physical and environmental security perimeter 7.2 - Physical entry 7.3 - Securing offices, rooms and facilities 7.4 - Physical security monitoring 7.5 - Protecting against physical and environmental threats 7.6 - Working in secure areas 7.7 - Clear desk and clear screen 7.8 - Equipment siting and protection 7.9 - Security of assets off-premises 7.10 - Storage media 7.11 - Utility supplies 7.12 - Cabling security 7.13 - Equipment maintenance 7.14 - Secure disposal or re-use of equipment 8.1 - User endpoint devices 8.2 - Privileged access rights 8.3 - Information access restriction 8.4 - Access to cryptographic keys 8.5 - Cryptography 8.6 - Cryptographic key management 8.7 - Transmission of sensitive information 8.8 - Management of removable media 8.9 - Duplicate and backup of information 8.10 - Redundancy of information and communication facilities 8.11 - Segregation of networks 8.12 - Boundary protection 8.13 - Segregation of information networks 8.14 - Preventing unauthorized connections 8.15 - Segregation of information services 8.16 - Monitoring network activities 8.17 - Network segregation 8.18 - Filtering of information 8.19 - Installation of software on operational systems 8.20 - Information systems hardening 8.21 - Configuration management 8.22 - Information system utility programs 8.23 - Restriction of information system utility programs 8.24 - Deletion of information 8.25 - Data masking 8.26 - Preventing exfiltration of information 8.27 - Obtaining information systems 8.28 - Secure development policy 8.29 - Security requirements analysis and specification 8.30 - Information and communication technology secure development 8.31 - Separation of development, test and production environments 8.32 - Change management 8.33 - Test information 8.34 - Protection of information systems from malware 8.35 - Logging 8.36 - Monitoring system use 8.37 - Collection of evidence 8.38 - Information security event evaluation 8.39 - Response to information security incidents 8.40 - Improvement of information security incident handling 8.41 - Assessment of information security incidents 8.42 - Continuity planning 8.43 - Continuity plan implementation 8.44 - Information and other assets availability 8.45 - ICT readiness for business continuity 8.46 - Compliance evaluation 8.47 - Determination of compliance with requirements