Security

SharePoint Server 2019 Post-EOS Security Risk Assessment

The quantified security and compliance risk model for running SharePoint Server 2019 past the July 14, 2026 end-of-support deadline — defensible numbers for CFO and CISO sign-off.

SharePoint Support TeamApril 21, 202612 min read
SharePoint Server 2019 Post-EOS Security Risk Assessment - Security guide by SharePoint Support
SharePoint Server 2019 Post-EOS Security Risk Assessment - Expert Security guidance from SharePoint Support

Why This Assessment Exists

The executive decision on SharePoint Server 2019 migration cannot be made on feelings. It needs quantified risk numbers that CFOs, CISOs, audit committees, and insurance brokers can act on. This assessment gives you that model.

SharePoint migration process workflow from planning to go-live
Step-by-step SharePoint migration workflow

It sits underneath the July 14, 2026 end-of-support pillar decision guide and complements the migration checklist and migration gotchas reference.

The Four Risk Categories

Post-end-of-support risk for SharePoint Server 2019 breaks into four distinct categories, each with different measurement frameworks and different stakeholders:

  • Technical vulnerability risk — CVEs, exploits, and attack-surface exposure. Owned by CISO.
  • Compliance and audit risk — HIPAA, SOC 2, PCI, FedRAMP, NIST, CMMC findings. Owned by Chief Compliance Officer or GRC.
  • Financial and insurance risk — Cyber insurance erosion, breach loss expectancy. Owned by CFO and Risk Management.
  • Operational risk — Unsupported ticketing, ISV compatibility drift, talent shortage. Owned by CIO and Infrastructure.

The mistake most organizations make is focusing on one category and missing the cumulative effect.

Category 1 — Technical Vulnerability Risk

CVE Frequency Baseline

Over the last five years (2021 to 2025), SharePoint Server published CVEs averaged:

  • 14 to 22 CVEs per year affecting SharePoint Server 2016/2019
  • 3 to 7 of those rated Critical (CVSS 9.0+)
  • 5 to 9 rated High (CVSS 7.0 to 8.9)
  • At least 2 per year with working exploit code published within 30 days of disclosure

Projecting forward: the first year post-EOS (July 15, 2026 to July 14, 2027) should be expected to produce 14 to 22 unpatched vulnerabilities in your environment. These accumulate — there is no future patch.

The ToolShell Precedent

The ToolShell SharePoint vulnerability chain (disclosed July 2025) is the clearest recent precedent. It affected SharePoint 2016, 2019, and Subscription Edition. The characteristics that matter for your risk model:

  • Disclosed publicly with working exploit code.
  • Exploited in the wild within 72 hours of disclosure.
  • Targeted by multiple nation-state and criminal groups simultaneously.
  • Enabled authenticated remote code execution on SharePoint farm servers.

Microsoft patched all supported versions within days. After July 14, 2026, the equivalent future disclosure in SharePoint 2019 will not be patched — ever.

Attack Surface Characterization

SharePoint 2019 farms are attractive targets because they tend to:

  • Host high-value content (contracts, HR records, financial reports, PHI, IP).
  • Be reachable from the intranet and often from the internet via reverse proxy.
  • Integrate with Active Directory, exposing AD credentials and Kerberos delegation paths.
  • Run with high-privilege service accounts that give post-exploitation access to SQL Server content databases.

The combination — high-value content, large privilege footprint, and known-unpatched — is the template for a ransomware or data-extortion attacker's ideal target.

Category 2 — Compliance and Audit Risk

HIPAA

45 CFR 164.308(a)(1)(ii)(A) — Risk Analysis. Covered entities must conduct accurate and thorough assessment of risks to ePHI. An unpatched production system is a known risk that cannot be treated.

45 CFR 164.308(a)(5)(ii)(B) — Protection from Malicious Software. Requires procedures to guard against and detect malicious software, which is not satisfiable when no patches exist.

OCR enforcement precedent: in settlement cases where unsupported software contributed to a breach, OCR has imposed six and seven-figure resolution agreements plus multi-year corrective action plans.

SOC 2

Common Criteria CC7.1 — The entity uses detection and monitoring procedures to identify changes to configurations and vulnerabilities. Unpatchable CVEs are undetectable changes to exploitable state from the defender's perspective.

Common Criteria CC7.2 — The entity monitors system components for anomalies indicative of malicious acts or known vulnerabilities. Vendors do not monitor unsupported versions.

A SOC 2 Type II auditor has no clean path to issuing an unqualified opinion when a production system in scope is unsupported. The report becomes qualified, which is a material disclosure to existing enterprise customers.

PCI DSS 4.0

Requirement 6.3.3 — Address all applicable vulnerabilities within 30 days (critical) or 90 days (high). Impossible when no vendor patch exists. Requirement 6.2.4 — Bespoke and custom software reviewed per vendor support lifecycle. An unsupported platform fails the requirement directly.

FedRAMP Moderate and High

Control SI-2 (Flaw Remediation) requires identifying, reporting, and correcting information system flaws. No vendor patch pipeline equals no SI-2 compliance. FedRAMP customers typically require migration or decommissioning within 60 days of vendor EOS.

NIST 800-171 and CMMC Level 2

3.14.1 — Identify, report, and correct system flaws in a timely manner.

3.14.2 — Provide protection from malicious code at designated locations.

3.11.2 — Scan for vulnerabilities in systems and applications periodically.

All three fail when the platform is unsupported. CMMC assessments will cite these directly.

Category 3 — Financial and Insurance Risk

Annual Loss Expectancy Model

Single-loss expectancy (SLE) for a SharePoint-originated breach, by organization size:

  • 500 seats: likely data classes — HR records, contracts, financials. SLE range 500,000 to 3,500,000 USD.
  • 2,000 seats: the above plus client/customer data. SLE range 1,500,000 to 8,000,000 USD.
  • 10,000 seats: the above plus regulated data (PHI, PCI, ITAR). SLE range 4,000,000 to 35,000,000 USD.

Annualized rate of occurrence (ARO) for an unsupported system with high-value content: 0.10 to 0.25 per year in the first year post-EOS.

ALE (Annual Loss Expectancy) equals SLE multiplied by ARO.

For a 2,000-seat enterprise: 150,000 to 2,000,000 USD per year in expected loss — compared to a one-time migration cost in the 310,000 to 625,000 range for the same organization.

Cyber Insurance Erosion

Major carriers updated underwriting between 2023 and 2025:

  • Questionnaires now specifically ask about unsupported operating systems and applications.
  • Several carriers carry exclusions that deny claims where the initial access vector was unsupported.
  • Some policies apply a separate higher deductible (typically 2x to 3x the standard deductible) for unsupported-system incidents.
  • Renewal premiums increase 15 to 40 percent for organizations disclosing unsupported production systems.

For a 2,000-seat enterprise carrying a 5M USD cyber policy, renewal in 2027 (post-EOS) could mean: 50,000 to 150,000 USD premium increase annually, plus a 500,000 to 1,000,000 USD higher deductible tier, plus risk that a major claim is denied.

Emergency Migration Premium

Organizations forced into post-deadline emergency migration (by an audit finding, customer contract clause, or near-miss incident) pay a 25 to 40 percent premium over a planned migration, plus:

  • Partner capacity cost (senior consultants at rush rates)
  • Compressed user impact (less change management, more disruption)
  • Reduced negotiating leverage on tooling licenses
  • Higher error rate and longer hypercare

Category 4 — Operational Risk

Microsoft Support Cliff

After July 14, 2026, Microsoft Premier and Unified support cannot open break-fix tickets against SharePoint 2019. Historical Premier escalations for SharePoint 2019 have resolved an average of 32 percent of critical incidents within 8 hours — that path disappears.

ISV Compatibility Drift

ShareGate, AvePoint, Quest, Nintex, K2, DocuSign, Colligo, and other ISVs maintain compatibility with supported platforms. Expect public end-of-support announcements for SP2019 connectors from major ISVs within 6 to 12 months of July 14, 2026. This cascades into lost functionality in downstream workflows.

Talent Scarcity

The population of consultants and internal admins with deep SharePoint 2019 expertise is actively shrinking. New SharePoint engineers train on SharePoint Online and SE, not 2019. Replacement cost for a SharePoint 2019 administrator rises steadily from 2026 onward.

The Decision Framework

Present the risk to executive leadership as a three-scenario comparison.

Scenario A — Timely Migration

Migrate before July 14, 2026. One-time cost. No ongoing risk exposure. Insurance and compliance posture preserved.

Scenario B — Run Unsupported for One Year

Continue on SP2019 past July 14, 2026. Annual cost equals ALE (150k to 2M for 2,000 seats) plus insurance premium increase plus audit-finding remediation cost plus eventual forced migration.

Scenario C — Emergency Migration Post-Incident

Do nothing until an audit finding or near-miss incident forces the issue. Cost equals 125 to 140 percent of planned migration plus disruption cost plus reputation cost plus potential breach cost if the forcing event was a real incident.

Scenario A is the economic decision in virtually every case.

Quantifying the Risk for Board-Level Audiences

Board audit committees and risk committees respond best to quantified risk in dollar terms, not technical framing. Translate the model above into three board-ready metrics:

Metric 1 — Annual Loss Expectancy (ALE) in millions of USD. A single number. For a 2,000-seat enterprise running unsupported SharePoint: approximately 0.4 to 2.0 million USD ALE annually in the first year post-EOS. Present alongside the fixed migration cost (0.31 to 0.63 million USD) to show payback period of well under twelve months.

Metric 2 — Cyber Insurance Renewal Exposure. Present as two numbers: incremental premium increase (50 to 150k per year on a 5M policy), and incremental deductible exposure (500k to 1M higher self-insured retention on an unsupported-software claim). Boards understand insurance math intuitively.

Metric 3 — Audit Finding Count. Translate every failing compliance control into a projected audit finding count on the next SOC 2 Type II, HIPAA, or regulatory audit. A board member who has sat through a qualified audit opinion understands what this means without further explanation.

Presenting these three metrics on a single slide, alongside the migration investment and timeline, produces the cleanest board approval path we have seen.

Frequently Asked Questions

What is the first-year CVE exposure for an unsupported SharePoint 2019 farm?

Based on five-year averages, SharePoint receives 14 to 22 published CVEs per year, 3 to 7 rated Critical. First-year post-EOS exposure is the full distribution with no vendor patches.

How do I calculate the dollar-value risk of running unsupported SharePoint?

ALE equals probability of breach multiplied by expected loss. Defaults for unsupported SharePoint: 10 to 25 percent annual probability, 1 to 12 million USD expected loss.

Will my cyber insurance pay out after a breach of an unsupported server?

Increasingly no. Major carriers updated underwriting 2023 to 2025 to ask about unsupported software.

Does running SharePoint 2019 behind a WAF mitigate the risk?

It helps but does not eliminate risk. Auditors and insurers generally do not accept WAF as a substitute for vendor patching.

What does HIPAA enforcement look like for unsupported SharePoint?

OCR cites unsupported software as a Risk Analysis control failure under 45 CFR 164.308(a)(1).

How should I present the risk to the CFO and CISO?

Three-column comparison: timely migration cost, one-year unsupported cost, emergency-migration cost. Timely migration is the economic choice.

Is there any defensible reason to stay on SP2019 past July 14, 2026?

One: air-gapped, non-internet-connected environments. Even here, SharePoint Server Subscription Edition is the recommended path.

Share this article:

Written by the SharePoint Support Team

Senior SharePoint Consultants | 25+ Years Microsoft Ecosystem Experience

Our senior SharePoint consultants bring deep expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments. We cover SharePoint Online, Microsoft 365, migrations, Copilot readiness, and large-scale governance.

Frequently Asked Questions

What is the first-year CVE exposure for an unsupported SharePoint 2019 farm?
Based on the five-year rolling average, SharePoint Server receives 14 to 22 published CVEs per year with 3 to 7 of those rated Critical. First-year post-EOS exposure is effectively the full distribution, with no vendor patch pipeline. The ToolShell vulnerability chain (disclosed July 2025) had working exploits in the wild within 72 hours of disclosure.
How do I calculate the dollar-value risk of running unsupported SharePoint?
Annual Loss Expectancy equals probability of breach multiplied by expected loss. Reasonable defaults for an unsupported SharePoint farm: 10 to 25 percent annual probability of exploitation, and 1 to 12 million USD expected loss per event depending on data sensitivity and firm size.
Will my cyber insurance pay out after a breach of an unsupported server?
Increasingly no. Most major carriers updated their underwriting questionnaire between 2023 and 2025 to ask about unsupported software. Several carriers now include exclusions that deny claims where the initial access vector was an unsupported system.
Does running SharePoint 2019 behind a WAF or reverse proxy mitigate the risk?
It helps but does not eliminate risk. A properly configured WAF can block many generic exploit attempts, but SharePoint-specific exploits are often custom, authenticated, or use legitimate SharePoint APIs in abuse patterns that WAFs struggle to detect. Auditors and insurers generally do not accept WAF as a substitute for vendor patching.
What does HIPAA enforcement actually look like for unsupported SharePoint?
HHS Office for Civil Rights (OCR) cites unsupported software as a Risk Analysis and Risk Management control failure under 45 CFR 164.308(a)(1). Settlement cases where unsupported software contributed to a breach have triggered six and seven-figure resolution agreements plus multi-year corrective action plans.
How should I present the risk to the CFO and CISO?
Present it as a three-column comparison: cost of timely migration before July 14, 2026; cost of running unsupported for one year (ALE plus compliance remediation plus insurance erosion); cost of a post-deadline emergency migration forced by an audit finding or breach. The timely-migration option is universally the economic choice.
Is there any defensible reason to stay on SP2019 past July 14, 2026?
One legitimate scenario: an air-gapped, non-internet-connected environment where the attack surface is physically constrained and compensating controls are auditable. Even here, the recommended path is SharePoint Server Subscription Edition on the same air-gapped infrastructure, not staying on SP2019.

Need Expert Help?

Our SharePoint consultants are ready to help you implement these strategies in your organization.