Microsoft has issued security patches for a high-severity remote code execution (RCE) vulnerability in SharePoint, tracked as CVE-2026-45659. The flaw is rated 8.8 on the CVSS scale and could be exploited in low-complexity attacks by an authenticated attacker.

The vulnerability originates from improper deserialization of untrusted data within SharePoint, allowing an attacker who has already authenticated to the server to execute arbitrary code remotely. Unlike many RCE bugs, this one does not require any user interaction, meaning the attacker can trigger the exploit without tricking a user into clicking a link or opening a file.

According to Microsoft's advisory, the attack complexity is low because an attacker does not need deep knowledge of the system and can achieve repeatable success with the same payload against the vulnerable component. The key prerequisite is that the attacker must first successfully authenticate to the SharePoint server. This reduces the risk from unauthenticated remote attackers but still makes the vulnerability a serious threat, especially considering that SharePoint servers are often exposed to the internet and regularly targeted by threat actors.

Affected versions and patching

The vulnerability affects three major editions of SharePoint: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft has released updates that address the flaw, and the specific build numbers that contain the fix are as follows:

• SharePoint Server Subscription Edition: build 16.0.19725.20280
• SharePoint Server 2019: build 16.0.10417.20128
• SharePoint Enterprise Server 2016: build 16.0.5552.1002

Organizations that have already installed the May 2026 cumulative updates for these versions are already protected. Microsoft noted in an update on May 27, 2026, that CVE-2026-45659 was inadvertently omitted from the May 2026 Security Updates, but the patches themselves were included. Therefore, customers who applied the updates do not need to take any further action.

Why SharePoint remains a prime target

SharePoint servers are attractive targets for cybercriminals and nation-state actors because they frequently host sensitive business data, including documents, policies, internal communications, and sometimes even credentials. Many organizations also expose their SharePoint portals to the internet for remote collaboration, making them a potential entry point for attackers.

Over the past several years, SharePoint has been hit by multiple critical vulnerabilities, some of which were actively exploited in the wild. For example, in 2020, a critical RCE vulnerability (CVE-2020-1147) was exploited in targeted attacks just days after Microsoft released a patch. More recently, in 2023, CVE-2023-29357 allowed unauthenticated attackers to gain elevated privileges, and CVE-2023-24955 enabled RCE with minimal privileges. These flaws have been leveraged by ransomware operators, initial access brokers, and APT groups, including those linked to China and Iran.

The current vulnerability, while requiring authentication, still lowers the bar for attackers who have already compromised a low-privilege account or gained access through phishing or credential theft. Once inside, they can use this RCE to move laterally, deploy backdoors, or exfiltrate data.

Technical details and mitigation steps

Microsoft has not yet published detailed technical information about the exploit mechanism for CVE-2026-45659, nor has any proof-of-concept code been released publicly. This reduces the likelihood of immediate mass exploitation, but as history shows, threat actors often reverse-engineer patches to develop exploits once the updates are published. Organizations with on-premises SharePoint servers should therefore treat this update as material and apply it as soon as their security patching cycle allows.

The company assesses that exploitation of this vulnerability is less likely at this time, but the rating of "Important" (not Critical) reflects the authentication requirement. However, given the high CVSS score of 8.8 and the potential for chain with other vulnerabilities, security teams should prioritize deployment.

In addition to installing the updates, administrators should consider the following best practices:

• Enforce multi-factor authentication (MFA) for all SharePoint users to reduce the risk of credential compromise.
• Limit internet-facing access to SharePoint servers unless strictly necessary, and use VPNs or zero-trust proxies for remote access.
• Monitor logs for unusual authentication patterns or unexpected code execution events.
• Apply the principle of least privilege so that even if an account is compromised, the attacker's ability to exploit RCE is constrained.
• Keep all SharePoint components and related software (such as SQL Server and IIS) up to date.

Background on deserialization vulnerabilities

Deserialization flaws are a common class of vulnerabilities in enterprise software, especially those built on the .NET framework like SharePoint. When an application deserializes untrusted data—for example, from a network packet or a file—without proper validation, an attacker can craft malicious serialized objects that, upon deserialization, execute arbitrary code. Microsoft has had to patch similar deserialization bugs in SharePoint multiple times over the years, such as CVE-2021-34493 and CVE-2022-29127, both of which were rated Critical.

The recurring nature of these vulnerabilities underscores the complexity of securing large codebases that handle serialized data. While security improvements in the .NET runtime and SharePoint's pipeline have been made, attackers continue to find new code paths where validation is insufficient. The community expects that future patches may also be needed as more attack surfaces are discovered.

Nevertheless, the fact that CVE-2026-45659 was found and fixed during Microsoft's regular patch cycle indicates that internal security reviews and bounty programs are actively identifying issues. The vulnerability was reported through responsible disclosure, and no evidence of active exploitation has been observed as of the update release.

Looking ahead

With the May 2026 updates, Microsoft has closed another potential entry point into SharePoint environments. However, given the history of targeted attacks against this platform, security administrators should not become complacent. The vulnerability landscape is dynamic, and adversaries continuously monitor updates for low-hanging fruit. Combining prompt patching with robust access controls, network segmentation, and continuous monitoring remains the best defense.

The full list of fixes included in the May 2026 SharePoint updates extends beyond CVE-2026-45659, covering other security issues and quality improvements. Organizations should review the release notes for their specific version to understand all changes and any potential impacts on customizations or third-party solutions. Testing patches in a staging environment before production deployment is always recommended.

As of late May 2026, the advisory on CVE-2026-45659 has been updated to clarify that the vulnerability was indeed fixed in the May updates, even though it was initially missing from the security bulletin listing. This kind of administrative oversight is rare but highlights the importance of checking actual build numbers against known fixed versions rather than relying solely on bulletin summaries.

Source: Help Net Security News