SharePoint Server RCE and Office Preview Pane Vulnerabilities Fixed in May Patch Tuesday — Enterprise Document Attack Surface Elevated

Microsoft’s May 2026 Patch Tuesday includes fixes for an authenticated Remote Code Execution vulnerability in SharePoint Server (CVE-2026-40365) alongside several Office components exploitable via the preview pane — meaning malicious documents can trigger code execution without a user explicitly opening the file. These flaws collectively expand the document-as-delivery-vector attack surface that has dominated enterprise targeting patterns for the past five years.

SharePoint Server RCE — CVE-2026-40365

CVE-2026-40365 affects SharePoint Server in all supported on-premises configurations. Exploitation requires a valid domain account but no special SharePoint permissions — a standard employee account is sufficient. An authenticated attacker can send a crafted HTTP request to a SharePoint instance that triggers server-side code execution in the context of the SharePoint application pool service account.

The practical risk varies by deployment model:

Patch: May 2026 Cumulative Update for SharePoint Server 2019 and SharePoint Server Subscription Edition.

Office Preview Pane Vulnerabilities

Several Office and Word/Excel RCEs addressed this month are exploitable via the preview pane in Windows Explorer or Outlook’s reading pane. This is a material distinction from vulnerabilities that require file opening: a user who navigates to a folder containing a malicious document, or selects an email attachment to preview, can be compromised without double-clicking to execute the file.

Preview-pane exploits are among the hardest to defend against in user-facing environments because they contradict user training — “don’t open suspicious files” — whilst previewing a file is not opening it in the traditional sense. Detection via endpoint telemetry is also more difficult because there is no explicit file execution event to alert on; the exploitation occurs within the shell or Outlook process.

Risk Assessment for Enterprise Environments

Security assessment teams reviewing May’s release should evaluate the following in their patch prioritisation:

• SharePoint Server versions: Run Get-SPFarm | Select BuildVersion to confirm the current build and compare against the May 2026 Cumulative Update build number.
• Externally accessible SharePoint: Any SharePoint farm with an endpoint reachable from outside the corporate network — including extranets, partner portals, and internet-published SharePoint — should be treated as having authenticated attacker access from the moment of patch publication.
• Office patch compliance: Office client patching frequently lags Windows OS patching by one to two weeks in enterprise environments using SCCM or Intune. Use compliance reporting to identify endpoints where Office has not yet received May updates.

Recommended Actions

• Prioritise SharePoint patching: Apply the May 2026 Cumulative Updates to all on-premises SharePoint Server farms within 48 hours. Confirm the update applied by checking the SharePoint Central Administration build version.
• Assess SharePoint network exposure: Map which network zones can reach your SharePoint instances. Any zone accessible to accounts that can be phished — employees, contractors, partners — should be treated as having an authenticated attacker model.
• Preview pane mitigation: Consider Group Policy settings that disable the Windows Explorer preview pane for managed endpoints that regularly handle externally sourced files. This is a mitigation, not a substitute for patching.
• Validate Office update rollout: Pull compliance reports from Intune or SCCM to confirm Office client update deployment. Chase any straggler endpoints rather than assuming the update has applied.
• Mark of the Web: Confirm that your email security gateway and endpoint controls correctly propagate MOTW (Mark of the Web) attributes to email-delivered attachments, enabling Protected View and additional Office security controls.