blog

Focus Friday: TPRM Insights on Critical Dead.Letter (Exim), Microsoft SharePoint, and MSSQL Vulnerabilities

Published

May 15, 2026

Introduction

Welcome to another edition of Focus Friday. This week, we examine severe threats targeting foundational enterprise communication and data infrastructure: mail servers, collaborative document platforms, and relational databases.

Specifically, we are exploring the Dead.Letter vulnerability in the Exim Mail Server, alongside high-severity remote code execution (RCE) and privilege escalation flaws affecting Microsoft SharePoint and Microsoft SQL Server (MSSQL). For Third-Party Risk Management (TPRM) professionals, these disclosures highlight the continuous challenge of securing the deeply embedded systems within vendor ecosystems. When vendors run unpatched infrastructure at this level—whether it is an internet-facing mail server or a backend database holding critical assets—the risk cascades directly to your shared data, credentials, and network integrity.

Let’s dive into the technical details of these high-profile vulnerabilities, the specific questions you should be asking your third-party partners, and how you can operationalize intelligence to protect your supply chain.

Filtered view of vendors with Dead.Letter FocusTag® on the Black Kite platform.

Dead.Letter (CVE-2026-45185)

What Is the Exim Dead.Letter Vulnerability?

CVE-2026-45185, known as "Dead.Letter," is a Critical-severity vulnerability that encompasses a Use-After-Free (UAF), Remote Code Execution (RCE), Memory Corruption, and Improper Input Validation flaw. Carrying a CVSS score of 9.8 and an EPSS score of 0.06%, the vulnerability is rooted in the interaction between Exim’s SMTP input handling and the GnuTLS library. The exploit is triggered when a client initiates a TLS connection via the STARTTLS command and subsequently sends a BDAT (chunking) command. During a TLS shutdown, Exim frees a transfer buffer but fails to clear lower-level receive pointers. This UAF condition allows a single newline character to be written into the freed memory region, corrupting adjacent metadata and ultimately allowing an unauthenticated remote attacker to execute arbitrary code.

The vulnerability was publicly disclosed on May 12, 2026, by researchers at XBOW. It impacts Exim Core versions 4.97 through 4.99.2, including default installations on Debian and Ubuntu 24.04 LTS. Currently, a public Proof-of-Concept (PoC) exploit is available, lowering the technical barrier for attackers. Although there are no confirmed reports of active exploitation in the wild by specific threat actor campaigns, the availability of the PoC means attacks could begin at any moment. As of now, the vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog, and CISA has not yet published a specific advisory for it.

Why Should TPRM Professionals Care About the Exim Vulnerability?

Exim is one of the most widely deployed Mail Transfer Agents (MTAs) globally, processing inbound and outbound email across countless vendor networks. Because this vulnerability exists on an internet-facing service and requires zero authentication, it represents a severe third-party risk. A successful RCE attack grants threat actors a direct foothold into a vendor's environment, allowing for potential lateral movement into deeper infrastructure.

From a TPRM perspective, a compromised mail server specifically jeopardizes communication integrity and data confidentiality. Attackers could intercept, read, or alter sensitive emails flowing between your organization and the vendor. Furthermore, a compromised Exim server can be weaponized to launch highly convincing Business Email Compromise (BEC) and phishing campaigns. Because the fraudulent emails would originate from the vendor’s legitimate, trusted domain, they can bypass standard email security filters, putting your own employees and assets at direct risk.

What Questions Should TPRM Professionals Ask Vendors About the Exim Vulnerability?

To accurately assess a vendor's exposure and response to the Dead.Letter vulnerability, TPRM teams should ask the following technical questions:

Can you confirm if you have upgraded all instances of Exim Mail Server to version 4.99.3 or later to mitigate the risk of CVE-2026-45185?
Have you implemented restrictions on the STARTTLS availability to only trusted networks to prevent the BDAT command from being processed, which is a required step for exploitation of the Use-After-Free (UAF) vulnerability in Exim's GnuTLS handling?
Are you monitoring for unusual panic or segfault errors in the Exim process, which may indicate failed exploitation attempts or "grooming" of the heap, as recommended in the advisory?
Have you ensured that the Exim service is running with the minimum required privileges and that sensitive directories like JENKINS_HOME are not writable by the exim user to prevent RCE from escalating to full persistent system control?

Remediation Recommendations for Vendors Subject to This Risk

To eliminate or mitigate the risk posed by the Dead.Letter vulnerability, vendors should implement the following recommendations immediately:

Immediate Software Upgrade: Update Exim to the latest patched version (4.99.3, distributed as part of the May 12, 2026, coordinated release). This is the definitive fix for the UAF logic error.
Disable BDAT/Chunking: If patching cannot be done immediately, disable the CHUNKING extension in the Exim configuration. This prevents the BDAT command from being processed, which is a necessary step for exploitation.
Restrict STARTTLS: If feasible, limit STARTTLS availability to trusted networks only, though this must be weighed against potential disruptions to global mail delivery.
Monitor for Memory Crashes: Continuously review logs for panic or segfault errors within the Exim process, which could indicate exploitation attempts.
Audit System Users: Ensure the Exim service runs with minimal privileges. Verify that sensitive directories (such as JENKINS_HOME) are not writable by the exim user to prevent an attacker from escalating to full system control.

Black Kite's Dead.Letter FocusTag® details critical insights on the event for TPRM professionals.

SharePoint - May2026 (CVE-2026-35439, CVE-2026-33110, CVE-2026-33112, CVE-2026-40357, CVE-2026-40365, and CVE-2026-40368)

What Are the Microsoft SharePoint RCE Vulnerabilities?

The May 2026 Microsoft security updates addressed a cluster of six High-severity Remote Code Execution (RCE) vulnerabilities affecting Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition (builds prior to 16.0.19725.20280). Published on May 12, 2026, during Patch Tuesday, the core issue for five of these flaws (CVE-2026-35439, CVE-2026-33110, CVE-2026-33112, CVE-2026-40357, and CVE-2026-40368) involves the Deserialization of Untrusted Data (CWE-502). The sixth, CVE-2026-40365, stems from Insufficient Granularity of Access Control (CWE-1220).

Most of these vulnerabilities carry a CVSS score of 8.8 and an EPSS score of 0.5%, indicating they are network-exploitable, have low attack complexity, require low privileges, and need no user interaction. The exception is CVE-2026-40368, which has a CVSS of 8.0 and an EPSS of 0.31% due to a user interaction requirement. CVE-2026-40365 features a CVSS of 8.8 and an EPSS of 0.06%.

Currently, there are no confirmed reports of exploitation in the wild, nor is there a publicly available Proof-of-Concept (PoC). Consequently, none of these vulnerabilities have been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog. While CISA regularly points organizations to Microsoft's monthly update release notes, they have not issued a standalone advisory specific to this cluster of SharePoint flaws.

Why Should TPRM Professionals Care About the SharePoint Vulnerabilities?

Microsoft SharePoint operates as the central nervous system for corporate document management, intranets, and collaborative workflows. These environments are deeply entwined with Active Directory, Microsoft 365 workflows, and critical internal business applications.

For third-party risk management teams, evaluating a vendor's exposure to these RCE vulnerabilities is critical because successful exploitation grants an authorized attacker the ability to execute code directly over the network. If a vendor's SharePoint environment is compromised, the fallout goes far beyond a single application failure. Attackers can access highly sensitive shared documents, extract proprietary intellectual property, or leverage the trusted SharePoint server to pivot laterally into deeper internal networks. Because the exploit requires low privileges, an attacker simply needs to compromise a basic user account—or exploit a vendor's overly permissive external sharing settings—to launch an attack that exposes privileged operational data and workflow-connected systems.

What Questions Should TPRM Professionals Ask Vendors About the SharePoint Vulnerabilities?

To accurately determine how third-party partners are mitigating these RCE risks, consider presenting the following technical inquiries:

Have you updated all instances of Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition to version 16.0.19725.20280 or later to mitigate the risk of CVE-2026-35439, CVE-2026-33110, CVE-2026-33112, CVE-2026-40357, CVE-2026-40365, and CVE-2026-40368?
Can you confirm if you have implemented the recommended actions such as validating patch deployment across SharePoint farms, applying Microsoft SharePoint security updates, hardening SharePoint exposure, prioritizing internet-facing SharePoint servers, reviewing authentication and access controls, conducting an incident response review, verifying product and version scope, and monitoring for suspicious SharePoint activity?
Have you taken measures to restrict direct internet access to SharePoint and placed it behind VPN, identity-aware proxy, conditional access, or similar access control layers as recommended in the advisory?
Can you confirm if you have reviewed SharePoint user permissions, privileged accounts, stale accounts, external users, service accounts, and administrative roles to remove unnecessary access and enforce least privilege as recommended in the advisory?

Remediation Recommendations for Vendors Subject to This Risk

To secure enterprise document repositories and workflows against these flaws, vendors must take immediate corrective action.

Apply Microsoft SharePoint Security Updates: Deploy the relevant May 2026 security updates across all affected deployments immediately. For SharePoint Server Subscription Edition, validate that the build number is 16.0.19725.20280 or higher.
Validate Patch Deployment Across SharePoint Farms: Ensure comprehensive coverage in multi-server architectures. All web front-end servers, application servers, and connected components must be updated, as partial patching leaves the broader environment exposed.
Prioritize Internet-Facing Servers: Immediately identify and prioritize patching for any SharePoint servers directly accessible by external users, partners, contractors, or third-party integrations.
Review Authentication and Access Controls: Since exploitation requires an authorized attacker, audit user permissions, external guest access, service accounts, and administrative roles. Eliminate stale accounts and strictly enforce the principle of least privilege.
Harden External Exposure: Remove direct internet accessibility wherever possible. Shield SharePoint behind access control layers like conditional access or VPNs, and mandate MFA for all connections.

Black Kite's SharePoint - May2026 FocusTag® details critical insights on the event for TPRM professionals.

MSSQL - May2026 (CVE-2026-40370)

What Is the Microsoft SQL Server RCE Vulnerability?

CVE-2026-40370 is a High-severity Remote Code Execution (RCE) and Privilege Escalation vulnerability affecting multiple versions of Microsoft SQL Server. Publicly disclosed on May 12, 2026, during Microsoft's Patch Tuesday release, the vulnerability carries a CVSS score of 8.8 and an EPSS score of 0.07%.

The flaw originates from the improper validation of file names or paths supplied by users (CWE-73). In SQL Server, certain functions or stored procedures interact directly with the underlying filesystem. When an authenticated user submits a specially crafted network call containing external control sequences within a file path, the server fails to restrict the operation to authorized directories. Instead of processing a standard data operation, the server interprets the manipulated path as a command to be executed. Because the SQL Server service frequently runs with high system-level permissions, the injected code executes with those same privileges. This allows a standard, authenticated user to bypass Role-Based Access Control (RBAC) and elevate their access to a sysadmin role.

Currently, there is no public Proof-of-Concept (PoC) available, and researchers have not detected active exploitation in the wild or linked the flaw to specific threat actor campaigns. Consequently, CVE-2026-40370 has not been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog, and CISA has not issued a standalone advisory regarding the issue.

Why Should TPRM Professionals Care About the MSSQL Vulnerability?

Microsoft SQL Server acts as the foundational data repository for many enterprise applications, storing an organization's most critical assets. From a third-party risk management perspective, a vendor operating a vulnerable SQL Server instance presents a severe data breach risk.

Because this vulnerability allows a low-privileged authenticated user to execute code and achieve sysadmin rights, an attacker only needs to compromise a basic application account to completely hijack the database server. Once elevated, the threat actor can exfiltrate entire databases—exposing your shared proprietary data, financial records, or customer information. Furthermore, attackers can alter critical business transactions or use the SQL server's system-level permissions to deploy ransomware deeper into the vendor's network.

What Questions Should TPRM Professionals Ask Vendors About the MSSQL Vulnerability?

To accurately determine how your third-party partners are securing their database infrastructure against this privilege escalation and RCE flaw, consider asking the following technical questions:

Have you applied the General Distribution Release (GDR) and Cumulative Update (CU) patches provided by Microsoft for the affected versions of SQL Server to mitigate the risk of CVE-2026-40370?
Can you confirm if you have audited permissions and ensured that all authenticated users with "Low" privileges do not have unauthorized access to the SQL instance, as a measure to prevent privilege escalation related to CVE-2026-40370?
Are you using EDR or Windows Event Logs (Event ID 4688) to monitor for unusual process creation originating from the sqlservr.exe process, as recommended in the advisory for CVE-2026-40370?
Have you ensured that SQL Server instances running on Azure VMs are also patched manually or via Microsoft Update, as they are equally vulnerable to the CVE-2026-40370 vulnerability?"

Remediation Recommendations for Vendors Subject to This Risk

To eliminate the threat of privilege escalation and remote code execution, vendors should rapidly implement the following recommendations:

Identify Current Version: Determine the exact SQL Server version and update level (GDR or CU) using Microsoft KB321185 or by running the SELECT @@VERSION command.
Apply Immediate Security Updates: Download and install the corresponding security updates from the Microsoft Download Center or Windows Update. Affected versions include SQL Server 2025 (RTM and CU4), 2022 (RTM and CU24), 2019 (RTM and CU32), 2017 (RTM and CU31), and 2016 (SP3 and Azure Connect Feature Pack). If the system is on a CU path, the CU security update must be applied.
Audit Permissions: Review the access rights of all authenticated users with low privileges. Ensure strict adherence to the principle of least privilege and eliminate any unauthorized access to the database instance.
Monitor Service Account Activity: Use EDR tools or monitor Windows Event Logs (Event ID 4688) for unusual or unexpected process creation originating from the sqlservr.exe service.
Secure Azure IaaS Instances: Ensure that any SQL Server instances running on Azure VMs are equally protected by applying patches manually or through Microsoft Update, as they carry the exact same vulnerabilities as on-premises deployments.

Black Kite's MSSQL - May2026 FocusTag® details critical insights on the event for TPRM professionals.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite published the Dead.Letter, SharePoint - May2026, and MSSQL - May2026 FocusTags®, empowering security teams to rapidly pinpoint vendors running vulnerable versions of Exim, SharePoint, and Microsoft SQL Server.

Instead of broadcasting generic questionnaires across an entire supply chain, TPRM professionals can operationalize these tags to execute highly targeted outreach. A significant differentiator of Black Kite’s platform is its capability to provide specific asset information—such as the exact IP addresses and subdomains exposing the vulnerable instances. Equipped with this high-confidence technical evidence, TPRM teams can present actionable data directly to their vendors, ensuring rapid prioritization and patching before public exploits become actively weaponized in the wild.

Strengthening TPRM Outcomes with Black Kite’s FocusTags®

Managing third-party risk across complex enterprise environments—especially when confronted with high-severity RCE and privilege escalation flaws in foundational systems like Exim, SharePoint, and MSSQL—requires precision and speed. Relying on traditional, manual vendor outreach during a critical disclosure or major Patch Tuesday release is too slow and frequently contributes to widespread questionnaire fatigue across your vendor ecosystem.

Black Kite’s FocuTags® completely transform how TPRM teams handle these high-profile incidents by delivering actionable, highly specific intelligence exactly when it is needed. Here is how FocusTags® elevate and streamline your third-party risk strategy:

Immediate Scope Reduction: Instantly identify which specific vendors in your ecosystem are genuinely exposed to emerging vulnerabilities, allowing your team to bypass unaffected partners and eliminate unnecessary outreach.
Actionable Technical Evidence: Move beyond generic security alerts. FocusTags® provide the exact IP addresses, subdomains, and asset details of the vulnerable systems hosted by your vendors, giving you concrete, indisputable data to drive the conversation.
Accelerated Remediation: Armed with specific asset intelligence, TPRM teams can initiate highly targeted, technical discussions with affected vendors. This focused approach dramatically shrinks the window of exposure before threat actors can exploit the flaws.
Proactive Posture Management: Continuously monitor your supply chain's exposure to both unpatched zero-day threats and known CVEs, ensuring your broader cybersecurity strategy adapts instantly to the rapidly shifting threat landscape.

By transforming raw cyber threat data into precise, actionable intelligence, Black Kite's FocusTags® provide TPRM professionals with the exact tools needed to efficiently and effectively secure the digital supply chain against today's most sophisticated attacks.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags® in the Last 30 Days:

Dead.Letter : CVE-2026-45185, Critical Remote Code Execution, Use-After-Free, Memory Corruption, and Improper Input Validation Vulnerabilities in Exim Mail Server.
SharePoint - May2026 : CVE-2026-35439, CVE-2026-33110, CVE-2026-33112, CVE-2026-40357, CVE-2026-40365, CVE-2026-40368, High-Severity Remote Code Execution Vulnerabilities in Microsoft SharePoint.
MSSQL - May2026 : CVE-2026-40370, High-Severity Remote Code Execution and Privilege Escalation Vulnerability in Microsoft SQL Server.
cPanel & WHM : CVE-2026-41940, Critical Authentication Bypass Vulnerability in cPanel & WHM.
Redis - May2026 : CVE-2026-25243, CVE-2026-25588, CVE-2026-25589, CVE-2026-23479, CVE-2026-23631, High-Severity Invalid Memory Access and Use-After-Free Vulnerabilities in Redis.
Ivanti EPMM - May2026 : CVE-2026-6973, CVE-2026-7821, Improper Input Validation, Remote Code Execution, Improper Certificate Validation, Authentication Bypass, Information Disclosure, and Data Integrity Failure Vulnerabilities in Ivanti EPMM.
Ollama : CVE-2026-5757, Critical Information Disclosure, Out-of-Bounds Read, and Memory Corruption Vulnerabilities in Ollama.
Langflow - Apr2026 : CVE-2026-42048, Critical Path Traversal Vulnerability in Langflow.
SonicWall SonicOS - Apr2026 : CVE-2026-0204, CVE-2026-0205, CVE-2026-0206, High-Severity Improper Access Control, Path Traversal, and Stack-Based Buffer Overflow Vulnerabilities in SonicWall SonicOS.
n8n - Apr2026 : CVE-2026-42231, CVE-2026-42232, Critical Prototype Pollution Vulnerabilities in n8n.
ActiveMQ - Apr2026 : CVE-2026-34197, High-Severity Code Injection Vulnerability in ActiveMQ.
Zimbra - Apr2026 : CVE-2025-48700, Critical Cross-Site Scripting (XSS) Vulnerability in Zimbra.

See Black Kite's full CVE Database and the critical TPRM vulnerabilities that have an applied FocusTags® at https://blackkite.com/cve-database/.