Summary
CVE-2026-50522 is a critical deserialization vulnerability in Microsoft SharePoint Server, affecting Enterprise Server 2016, Server 2019, and the Subscription Edition. The flaw arises from insecure deserialization of untrusted data (CWE-502), enabling unauthorized remote attackers to execute arbitrary code over the network with no authentication and no user interaction required. It carries a CVSS v3.1 base score of 9.8 (Critical), representing a maximum-severity risk for any internet-facing SharePoint deployment.
Technical details
- Root cause: Deserialization of untrusted data (CWE-502) within Microsoft Office SharePoint’s processing pipeline allows attacker-controlled serialized objects to be loaded and executed server-side.
- Trigger conditions: No authentication is required (Privileges Required: NONE) and no user interaction is needed (UI: NONE), meaning the vulnerability is exploitable entirely by a remote, unauthenticated attacker.
- Attack vector: Network-reachable with low attack complexity (AV:N/AC:L); any SharePoint instance accessible from the internet is within scope.
- Impact: Full compromise across all three security dimensions — high Confidentiality, Integrity, and Availability impact (C:H/I:H/A:H) — consistent with arbitrary remote code execution on the underlying server.
Affected software
- Microsoft SharePoint Enterprise Server 2016 (x64-based Systems) — versions prior to 16.0.5561.1001
- Microsoft SharePoint Server 2019 (x64-based Systems) — versions prior to 16.0.10417.20175
- Microsoft SharePoint Server Subscription Edition (x64-based Systems) — versions prior to 16.0.19725.20434
Severity
CVSS v3.1 Base Score: 9.8 (Critical)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Mitigation and recommended actions
- Immediate — apply Microsoft’s security update:
- SharePoint Enterprise Server 2016: upgrade to 16.0.5561.1001 or later
- SharePoint Server 2019: upgrade to 16.0.10417.20175 or later
- SharePoint Server Subscription Edition: upgrade to 16.0.19725.20434 or later
- If patching cannot be applied immediately: Restrict network access to SharePoint instances at the perimeter, blocking unauthenticated inbound connections from the public internet. Prioritize exposure reduction for any SharePoint server directly reachable from outside the organization.
- Monitor SharePoint server logs for anomalous deserialization activity or unexpected process execution.
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

