Microsoft Patches Critical SharePoint RCE Flaw CVE-2026-45659
▼ Summary
– Microsoft released patches for a high-severity SharePoint remote code execution vulnerability, CVE-2026-45659, affecting Subscription Edition, 2019, and 2016 versions.
– The flaw involves deserializing untrusted data and can be exploited by an authenticated attacker with no user interaction and low attack complexity.
– SharePoint servers are frequent targets because they hold sensitive data and are often internet-accessible, with past exploitation by nation-state hackers and ransomware groups.
– Microsoft assesses the vulnerability as less likely to be exploited and currently lacks public details or a PoC exploit, but recommends treating the update as material and applying it promptly.
– The CVE was addressed in May 2026 updates; customers who installed those updates need no further action.
Microsoft has rolled out patches addressing a critical remote code execution (RCE) vulnerability in SharePoint, tracked as CVE-2026-45659. The flaw, rated high-severity, could be exploited with low complexity, posing a significant risk to on-premises deployments.
The vulnerability impacts multiple versions of the platform, including SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
The root cause of CVE-2026-45659 lies in SharePoint’s handling of deserialized untrusted data. An authenticated attacker can leverage this weakness to execute arbitrary code on a vulnerable SharePoint Server without any interaction from the user. Microsoft noted that the attack complexity is low because the attacker does not need extensive prior system knowledge and can achieve consistent results with the same payload against the vulnerable component. However, successful exploitation does require the attacker to first authenticate to the server.
SharePoint servers remain a prime target for cybercriminals due to their frequent exposure to the internet and the sensitive corporate data they often host. Over the years, the platform has suffered from numerous critical, actively exploited vulnerabilities, including RCE flaws that required no authentication, minimal privileges like those needed for CVE-2026-45659, or even high-level access. These servers have been targeted by nation-state actors, ransomware gangs, and initial access brokers alike.
Although Microsoft assesses that CVE-2026-45659 is less likely to be exploited in the wild, and no public proof-of-concept code or technical details have emerged, the company warns that organizations running on-premises SharePoint should treat this as a material update and apply it promptly.
The patches are included in the following builds:
- SharePoint Server Subscription Edition: build 16.0.19725.20280
- SharePoint Server 2019: build 16.0.10417.20128
- SharePoint Enterprise Server 2016: build 16.0.5552.1002
In a later update, Microsoft clarified that CVE-2026-45659 was fixed in updates released in May 2026, but the CVE identifier was inadvertently left out of the May 2026 Security Updates bulletin. Customers who have already installed those updates do not need to take any additional action.
(Source: Help Net Security)
