Actively exploited vulnerabilities in Microsoft SharePoint, Exchange, Defender, nginx-ui, and more put enterprise infrastructure at risk
By SAFE Threat Research Team
This week’s most dangerous CVEs share a common and deeply uncomfortable theme: attackers are abusing the very infrastructure organizations rely on for security, communication, and operations — including Microsoft Defender itself. From unauthenticated SharePoint spoofing and Exchange deserialization to a local privilege escalation that turns your endpoint protection platform into a launching pad for full host compromise, these vulnerabilities demand attention now.
Here are the six CVE clusters that security teams cannot afford to deprioritize this week.
1. nginx-ui Authentication Bypass via MCP Endpoint (CVE-2026-33032)
Vulnerable Component: nginx-ui
An authentication bypass vulnerability in nginx-ui (the popular server configuration and monitoring interface) affects the Model Context Protocol (/mcp_message endpoint). An empty default IP whitelist allows unauthenticated remote attackers to take over the Nginx service — no credentials, no privileges, no user interaction required. This is rated critical severity.
The impact is sweeping: successful exploitation enables modification of Nginx configuration files, unauthorized service restarts, and a clear pathway to remote code execution on the underlying host.
This vulnerability is actively being exploited in internet-exposed deployments, and the attack surface is wide — any organization running nginx-ui without IP allowlist restrictions is exposed. Affected instances should be taken offline or placed behind network-layer access controls immediately while patches are applied.
2. Microsoft SharePoint Server Spoofing Zero-Day (CVE-2026-32201)
Vulnerable Component: Microsoft SharePoint Server
An improper input validation vulnerability in Microsoft SharePoint Server allows unauthenticated attackers to perform spoofing over the network, enabling impersonation of trusted identities or services within SharePoint environments. This CVE has been actively exploited as a zero-day and added to CISA’s Known Exploited Vulnerabilities catalog.
Like CVE-2026-33032, this vulnerability requires no privileges and no user interaction — it is network-exploitable from the moment an attacker identifies a target. Beyond the immediate impact of unauthorized data access and content manipulation, the greater danger lies in its role as a staging ground: this vulnerability can be leveraged as part of multi-stage attack chains for lateral movement across enterprise environments. Organizations running on-premises SharePoint should treat patching as an emergency change.
>>SAFE offers risk-based scoring of vulnerabilities based on the FAIR and FAIR-CAM (controls analytics) standards that allows us to go beyond traditional vulnerability management by linking controls directly to risk. See a demo.
3. Microsoft Exchange Server Deserialization RCE (CVE-2023-21529)
Vulnerable Component: Microsoft Exchange Server
A deserialization of untrusted data vulnerability in Microsoft Exchange Server allows an authenticated attacker to execute arbitrary code by sending specially crafted serialized payloads to vulnerable endpoints. This CVE is actively exploited and has been added to CISA KEV. Only low privileges are required — no user interaction needed.
Think of this one as a force multiplier for credential theft: a post-auth RCE that turns any stolen credential into a full Exchange compromise. Once an attacker obtains even a low-privilege account — through phishing, credential stuffing, or purchase on an initial access broker marketplace — this vulnerability hands them the keys to the entire email infrastructure. That means access to sensitive communications, the ability to move laterally within internal networks, and a persistent foothold that can be difficult to detect and eradicate.
4. Adobe Acrobat Reader Use-After-Free RCE (CVE-2020-9715)
Vulnerable Component: Adobe Acrobat Reader / Acrobat
A use-after-free vulnerability in Adobe Acrobat Reader and Acrobat allows attackers to execute arbitrary code when a victim opens a specially crafted PDF file, due to improper memory handling during document processing. This CVE has been actively exploited and recently added to CISA KEV.
While user interaction is required — the victim must open the malicious PDF — this is not a meaningful barrier in practice. PDF-based phishing remains one of the most reliable initial access vectors in the attacker playbook, and Acrobat’s near-universal enterprise deployment makes it a high-yield target. Exploitation enables arbitrary code execution, making it effective for malware delivery, data theft, and follow-on intrusion activity. Organizations should ensure Acrobat is patched across all endpoints and consider restricting features such as JavaScript where not required.
5. ShowDoc Unrestricted File Upload RCE (CVE-2025-0520)
Vulnerable Component: ShowDoc
An unrestricted file upload vulnerability in the ShowDoc documentation tool — caused by improper validation of file extensions — allows attackers to upload malicious PHP files and execute arbitrary code on the server, leading to remote code execution. With a CVSS score of 9.4, this vulnerability is network-exploitable with no privileges and no user interaction required.
Over 2,000 vulnerable deployments have been observed, and active exploitation against internet-exposed instances is ongoing. Successful attacks enable webshell deployment and full server compromise. This CVE is a sharp reminder that developer and documentation platforms are not low-risk assets: they frequently sit on internal networks with broad access to code repositories, credentials, and sensitive project data. Legacy N-day vulnerabilities like this one continue to yield results for attackers long after public disclosure, particularly in platforms where patching cadence is informal.
6. Microsoft Defender Local Privilege Escalation Zero-Day (CVE-2026-33825)
Vulnerable Component: Microsoft Defender
An improper access control vulnerability in Microsoft Defender allows an authorized attacker to elevate privileges locally to SYSTEM level by abusing insufficient validation in privileged operations. This CVE is actively exploited as a zero-day, with a public proof-of-concept already available. Only low privileges and no user interaction are required.
The implications here are particularly pointed. Microsoft Defender is the endpoint protection platform that organizations rely on to detect and stop exactly this kind of post-compromise behavior — and this vulnerability turns it into the vehicle for full host takeover. After achieving initial access through any means, attackers can use this flaw to escalate to SYSTEM, enabling defense evasion, credential harvesting, and lateral movement. The existence of a public proof-of-concept means exploit development time is effectively zero for even moderately capable threat actors. This CVE is part of a broader set of Microsoft Defender exploitation techniques, highlighting systemic weaknesses in endpoint protection mechanisms that deserve attention beyond this single patch.
What to Do Now
The thread running through this week’s six CVEs is attacker efficiency: low-barrier entry points that rapidly translate into maximum-impact outcomes. Three of the six require no privileges whatsoever. Five require no user interaction. Four are already in CISA’s Known Exploited Vulnerabilities catalog.
Prioritization guidance for security teams:
Patch immediately (active zero-days with public PoC or KEV listing):
- CVE-2026-32201 (SharePoint) — unauthenticated, KEV-listed, zero-day
- CVE-2026-33825 (Defender) — public PoC available, actively exploited zero-day
- CVE-2023-21529 (Exchange) — KEV-listed, turns any credential into RCE
- CVE-2020-9715 (Acrobat) — KEV-listed, high-volume phishing vector
Isolate or take offline immediately:
- CVE-2026-33032 (nginx-ui) — unauthenticated critical RCE on internet-exposed instances
- CVE-2025-0520 (ShowDoc) — 2,000+ exposed instances, webshell deployment confirmed
Detection and hunting:
- Hunt for unusual PowerShell activity and Defender process anomalies, particularly on hosts where low-privilege accounts have recently authenticated
- Review SharePoint and Exchange access logs for unusual API calls or authentication patterns
- Audit internet-exposed nginx-ui and ShowDoc deployments across your attack surface
Attacker dwell time shrinks every week. The vulnerabilities being weaponized right now are not theoretical risks — they are active intrusion vectors with confirmed exploitation in the wild. The sooner your security team acts, the smaller the window stays.
De-risk Your Critical Exposures with SAFE CTEM – Learn more.
