SharePoint Server CVE-2026-45659 RCE (CVSS 8.8)
Microsoft has released an out-of-band patch addressing CVE-2026-45659, a critical remote code execution (RCE) vulnerability affecting SharePoint Server. This flaw, stemming from the deserialization of untrusted data, carries a CVSS score of 8.8, indicating high severity and potential for significant impact.
An authenticated attacker, requiring only minimal privileges such as Site Member permissions, can exploit CVE-2026-45659 remotely. Although Microsoft initially described exploitation as "less likely," the company's decision to issue an immediate, out-of-band patch outside of its regular Patch Tuesday cycle confirms the perceived significant risk associated with this vulnerability.
As of the current reporting, no public exploit code has surfaced, nor has there been any indication of in-the-wild exploitation. However, the history of SharePoint Server as a high-value target for cyber adversaries, coupled with the rapid development of proof-of-concept (PoC) exploits for similar disclosures, requires immediate attention to patching by affected organizations.
What is CVE-2026-45659 and why is it critical?
CVE-2026-45659 is a remote code execution vulnerability in Microsoft SharePoint Server that carries a CVSS score of 8.8. This vulnerability is classified as critical due to its potential to allow an authenticated attacker to execute arbitrary code on the affected server. The flaw specifically involves the deserialization of untrusted data, a well-documented vulnerability class. When an application deserializes data without proper validation, it can be tricked into interpreting malicious input as executable code or commands, leading to full compromise of the server.
The criticality of CVE-2026-45659 is amplified by several factors despite Microsoft's initial assessment of "less likely to exploit." These include low attack complexity, a lack of user interaction required for successful exploitation, and the minimal privileges (Site Member permissions) needed by an attacker. The combination of these attributes significantly lowers the barrier for a potential attacker. Microsoft's proactive release of an out-of-band patch, rather than waiting for scheduled updates, further shows the urgency and severity the vendor attributes to this vulnerability. For a review of similar critical SharePoint vulnerabilities, refer to our prior analysis of a critical RCE vulnerability in Microsoft SharePoint Server.
Impact of CVE-2026-45659
A successful exploitation of CVE-2026-45659 could have a high impact on the confidentiality, integrity, and availability of the affected SharePoint Server system. An authenticated attacker who achieves remote code execution can potentially gain full control over the server. This level of compromise enables various malicious activities, ranging from data exfiltration to the deployment of further malicious payloads. The confidentiality of sensitive documents, project data, employee records, and intellectual property stored within SharePoint environments could be severely compromised. The integrity of these same data sets and the server's operational state could be altered or corrupted, while availability could be disrupted through denial-of-service or ransomware attacks.
SharePoint Server installations, particularly on-premises deployments, represent high-value targets for cyber adversaries. These platforms frequently serve as central repositories for vast amounts of critical enterprise data, making them attractive for both intellectual property theft and financial extortion. The extensive integration of SharePoint with other crucial Microsoft services, such as Active Directory, Teams, and Outlook, means a successful breach often provides a strategic beachhead for lateral movement across an entire enterprise network. This expands the potential blast radius of an exploit far beyond the initial SharePoint Server. Our prior insights into a SharePoint zero-day vulnerability and critical mitigation steps further illustrate the persistent threats surrounding this product.
Historically, SharePoint vulnerabilities have been actively exploited by sophisticated threat actors. China-linked groups, including Linen Typhoon and Violet Typhoon, have used SharePoint flaws for intellectual property theft, showing the strategic value of compromised SharePoint environments. Ransomware operators, such as Storm-2603, have also exploited these vulnerabilities to deploy extortion campaigns, demonstrating the direct financial motivations behind such attacks. In July 2025, a critical zero-day vulnerability chain, dubbed ToolShell, was actively exploited against on-premises SharePoint deployments. These attacks targeted various sectors, including government agencies, universities, corporations, and even the US Nuclear Weapons Agency, emphasizing the severe real-world implications of SharePoint vulnerabilities. APT groups and financially motivated cybercriminals consistently target on-premises Microsoft SharePoint environments. This is largely due to the challenges organizations face in maintaining fully patched, properly configured, and consistently monitored systems. Legacy integrations, outdated software, and excessive privileges often present exploitable security gaps. For additional context on another critical SharePoint vulnerability, consider reviewing our post on CVE-2026-32201, a SharePoint spoofing vulnerability that also required urgent patching.
Exploitation Chain of CVE-2026-45659
The exploitation chain for CVE-2026-45659 begins with an authenticated attacker possessing a minimum of Site Member permissions on the target SharePoint Server. This initial authentication requirement differentiates it from unauthenticated vulnerabilities but does not make it significantly more difficult for a determined attacker, given that internal or compromised credentials can satisfy this precondition. The attack vector is network-based, implying that the vulnerability can be triggered over the network without direct physical access to the server.
The core of the vulnerability lies in the deserialization of untrusted data within Microsoft Office SharePoint. Deserialization is the process of converting a stream of bytes back into an object in memory. Insecure deserialization occurs when an application deserializes data from an untrusted source without verifying its integrity or authenticity. An attacker can craft a malicious serialized data payload that, when processed by the vulnerable SharePoint component, leads to arbitrary code execution. This malicious payload effectively "tricks" Microsoft SharePoint into executing code that the attacker specifies, enabling them to remotely run commands on the underlying server.
Microsoft has characterized the attack complexity as low. This assessment indicates that an attacker does not require extensive prior knowledge of the system's intricate workings or highly specialized skills to devise an effective exploit. The vulnerability does not require user interaction, meaning a user does not need to click a malicious link, open a file, or perform any specific action for the exploit to succeed once the malicious payload is delivered to the vulnerable component. The low privileges required also contribute to easier exploitation, as an attacker does not need to escalate privileges to administrative levels to initiate the attack. These factors allow for repeatable success with the payload against the vulnerable component. This makes CVE-2026-45659 a significant threat despite the lack of public exploitation reports to date. The bug's discovery is attributed to a security researcher operating under the name MEOW.
Which products are affected by CVE-2026-45659?
CVE-2026-45659 specifically affects Microsoft SharePoint Server. The research findings indicate that the vulnerability is present in general "SharePoint Server" environments, with particular emphasis on "on-premises SharePoint deployments."
The provided research does not specify particular version numbers or cumulative updates that are affected by CVE-2026-45659. Organizations should refer to the official Microsoft Security Response Center (MSRC) update guide for CVE-2026-45659 to identify the exact product versions and updates that mitigate this vulnerability. The broad mention of SharePoint Server implies that multiple versions or configurations of the on-premises product could be at risk.
Detection for CVE-2026-45659
The research findings do not provide specific detection guidance such as log signatures, Indicators of Compromise (IOCs), EDR queries, or network indicators tailored to CVE-2026-45659. Due to the nature of remote code execution vulnerabilities, detection typically relies on monitoring for anomalous process creation, unusual network connections originating from the SharePoint Server, or suspicious file modifications.
Organizations should implement full logging and monitoring solutions for their SharePoint Server environments. This includes:
- System and Application Event Logs: Scrutinize SharePoint ULS logs, Windows Event Logs (System, Security, Application, and particularly PowerShell operational logs if PowerShell is used in exploits) for error messages, unexpected process creations, or unusual activity originating from the SharePoint service accounts.
- Network Traffic Analysis: Monitor network traffic to and from SharePoint Server for unusual protocols, connections to unknown external IP addresses, or large data transfers that could indicate data exfiltration.
- Endpoint Detection and Response (EDR) Systems: EDR solutions can help detect post-exploitation activities, such as suspicious command execution, unauthorized file access, or attempts at privilege escalation that might occur after successful RCE.
- File Integrity Monitoring (FIM): Implement FIM on critical SharePoint directories and configuration files to detect unauthorized changes that could indicate compromise.
While direct IOCs are not available from the provided research, maintaining strong security monitoring practices on SharePoint Server instances is crucial for identifying potential exploitation attempts or post-exploitation activities related to CVE-2026-45659 or similar threats.
Remediation for CVE-2026-45659
The primary and most critical remediation step for CVE-2026-45659 is the immediate application of the patch provided by Microsoft.
- Apply Microsoft's Out-of-Band Patch: Organizations operating SharePoint Server deployments should promptly deploy the out-of-band patch issued by Microsoft for CVE-2026-45659. This patch is specifically designed to address the deserialization of untrusted data vulnerability and prevent remote code execution. Administrators should consult the official Microsoft Security Response Center (MSRC) update guide for CVE-2026-45659 to obtain the correct security updates for their specific SharePoint Server versions and apply them without delay.
- Regular Patching and Update Management: Beyond this immediate patch, maintaining a consistent and timely patch management strategy for all SharePoint Server deployments is essential. This includes applying all subsequent monthly security updates to ensure continuous protection against newly discovered vulnerabilities.
- Security Configuration Review: Review and enforce least-privilege principles for all SharePoint user accounts and service accounts. Ensure that accounts, particularly those with Site Member permissions, are not over-privileged.
- Network Segmentation and Access Control: Isolate SharePoint Server instances within network segments to restrict unauthorized access. Implement strict network access controls to limit communication paths to and from the server to only those absolutely necessary for its function.
- Enhanced Monitoring: Implement and continuously review logs from SharePoint Server for any anomalous behavior. This includes monitoring for unexpected process executions, unusual network connections, or modifications to critical system files, which could indicate a successful exploit attempt or post-exploitation activity.
Technical Takeaways
- CVE-2026-45659 is a critical Remote Code Execution (RCE) vulnerability in Microsoft SharePoint Server with a CVSS score of 8.8.
- The vulnerability is rooted in the insecure deserialization of untrusted data, enabling an authenticated attacker with Site Member permissions to execute arbitrary code remotely.
- Attack complexity for CVE-2026-45659 is low, requiring no user interaction and only minimal privileges, allowing repeatable exploitation against vulnerable components.
- Despite Microsoft's "less likely to exploit" assessment, an out-of-band patch was released, showing the vendor's perception of CVE-2026-45659 as a significant risk due to SharePoint's history as a high-value target for nation-state actors and ransomware groups.
- Immediate application of Microsoft's provided patch is the primary remediation; the research does not specify affected versions beyond general "SharePoint Server" or provide specific detection guidance.