Microsoft Patches High-Severity Remote Code Execution Vulnerability in SharePoint Server

Executive Summary

Microsoft has issued security updates for a high-severity remote code execution (RCE) vulnerability, CVE-2026-45659, in Microsoft SharePoint Server. The vulnerability carries a CVSS 3.1 score of 8.8 and affects SharePoint Server Subscription Edition, 2019, and 2016. The flaw can be exploited by an authenticated attacker with minimal permissions (Site Member) to execute arbitrary code on the underlying server. Although Microsoft assesses exploitation as "less likely," the low attack complexity and lack of required user interaction make this a significant risk. All organizations with on-premise SharePoint deployments are urged to apply the necessary patches immediately.

Vulnerability Details

The root cause of CVE-2026-45659 is an insecure deserialization flaw. This class of vulnerability occurs when an application receives serialized data from an untrusted source and deserializes it without proper validation. An attacker can craft a malicious serialized object that, when processed by the SharePoint server, leads to the execution of arbitrary code in the context of the SharePoint application pool service account.

Key characteristics of the vulnerability include:

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low (Authenticated user with Site Member permissions)
• User Interaction: None
• Impact: Remote Code Execution

An attacker only needs to gain basic authenticated access to a SharePoint site to exploit this flaw. This makes it particularly dangerous, as credentials for low-privileged accounts are often easier to obtain through phishing or other means.

Affected Systems

The vulnerability impacts the following on-premise Microsoft SharePoint products:

• Microsoft SharePoint Server Subscription Edition
• Microsoft SharePoint Server 2019
• Microsoft SharePoint Enterprise Server 2016

SharePoint Online is not affected by this vulnerability. Patches are available via the standard Microsoft update channels.

Exploitation Status

As of the time of disclosure, Microsoft has stated that it is not aware of any active exploitation in the wild and assesses that exploitation is "less likely." However, SharePoint servers are a perennially popular target for threat actors of all kinds, from nation-state groups to ransomware gangs. Given the low complexity and high impact, it is highly probable that security researchers and malicious actors will develop proof-of-concept (PoC) exploits. Organizations should operate under the assumption that exploitation will become likely in the near future.

Impact Assessment

Successful exploitation of CVE-2026-45659 would grant an attacker the ability to execute code on the SharePoint server. This could lead to a complete compromise of the server, allowing the attacker to:

• Steal Sensitive Data: Access, modify, or exfiltrate all data stored within the SharePoint environment, including documents, intellectual property, and PII.
• Lateral Movement: Use the compromised SharePoint server as a beachhead to move laterally within the corporate network.
• Deploy Ransomware: Install ransomware to encrypt server data and data on connected network shares.
• Establish Persistent Access: Install backdoors or other malware to maintain long-term access to the network.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Detection Methods

• Vulnerability Scanning: Use a vulnerability scanner with updated plugins to identify unpatched SharePoint servers in your environment.
• Version Checks: Manually verify that the latest cumulative updates and security updates have been applied to all SharePoint servers in the farm.
• Log Analysis: Ingest SharePoint ULS logs and Windows Event Logs into a SIEM. Create rules to alert on suspicious activity originating from the SharePoint worker process (w3wp.exe), such as spawning command shells or making outbound connections to unknown IPs.

For detection, security teams can leverage D3FEND techniques like Process Analysis to monitor the behavior of the SharePoint worker process for anomalies.

Remediation Steps

1. Patch Immediately: The primary remediation is to apply the security updates released by Microsoft for all affected SharePoint products. Prioritize internet-facing servers.
2. Verify Installation: After patching, verify that the update was installed successfully and that the build number of the SharePoint farm has been updated.
3. Principle of Least Privilege: As a compensating control, review user permissions on SharePoint sites. Ensure that users only have the minimum level of access required for their roles. Limit the number of users with Site Member or higher permissions.
4. Network Segmentation: Restrict administrative access to SharePoint servers to a limited number of management workstations. Do not expose SharePoint management interfaces to the internet.

Applying D3FEND hardening techniques like Software Update is the most effective countermeasure.