Microsoft Fixes SharePoint RCE CVE-2026-45659 Affecting Server 2016, 2019, and Subscription Edition
SharePoint vulnerabilities rarely stay theoretical for long. When a collaboration platform sits close to sensitive files, workflows, intranet portals, and identity-connected services, even an “important” bug can become an operational problem fast.
Microsoft has released fixes for CVE-2026-45659, a remote code execution vulnerability in Microsoft Office SharePoint caused by deserialization of untrusted data. The flaw carries a CVSS 3.1 score of 8.8 and is rated high severity by NVD, with Microsoft assigning it an “Important” severity rating.
What Microsoft Patched
CVE-2026-45659 allows an authorized attacker to execute code over a network against vulnerable SharePoint Server deployments. Microsoft’s advisory describes the issue as a deserialization vulnerability, meaning SharePoint can be tricked into processing attacker-controlled data in a way that leads to code execution.
The CVSS vector tells defenders why this matters: network exploitable, low attack complexity, low privileges required, no user interaction, and high impact to confidentiality, integrity, and availability. In practical terms, an attacker does not need administrator rights or a user to click anything. They need valid access with at least low privileges.
The affected product line includes:
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Enterprise Server 2016
Why This Stands Out
The weakness is classified as CWE-502: Deserialization of Untrusted Data. That class of flaw is especially sensitive in server-side enterprise applications because exploitation can jump from data handling into code execution if object processing is not tightly constrained.
The “authorized attacker” requirement should not make security teams comfortable. SharePoint environments often include large user populations, service accounts, contractors, partner access, and legacy permission structures. A low-privileged account can be easier to obtain than defenders assume, especially through phishing, credential reuse, token theft, or stale accounts.
Microsoft has assessed exploitation of CVE-2026-45659 as less likely, but SharePoint’s recent history argues for speed. In March 2026, CISA added another SharePoint deserialization vulnerability, CVE-2026-20963, to its Known Exploited Vulnerabilities catalog after confirmed exploitation. That earlier flaw affected the same major SharePoint Server product families and was also tied to untrusted deserialization.
Defender Impact
The immediate priority is patch verification, not just patch deployment. SharePoint farms can be unevenly updated, especially where multiple web front ends, application servers, custom solutions, and maintenance windows are involved. Security teams should confirm that all affected SharePoint servers have received the relevant Microsoft updates, not only the externally visible nodes.
Defenders should also treat this as an access-control and monitoring issue. Because exploitation requires authentication, review low-privileged SharePoint access, disabled or dormant accounts, broad Site Member assignments, and service accounts with interactive or unnecessary access. The dangerous scenario is not only a public exploit; it is a compromised ordinary account reaching code execution on a business-critical server.
Recommended checks include reviewing SharePoint and IIS logs for unusual authenticated POST activity, unexpected application pool behavior, newly created files in SharePoint-related paths, suspicious child processes spawned from web or application pool contexts, and authentication events that precede abnormal server-side activity.
The Bigger Pattern
SharePoint remains a high-value target because it combines document access, internal trust, business workflows, and proximity to Microsoft identity ecosystems. On-premises SharePoint is especially attractive because it is often exposed for remote collaboration while still carrying legacy customizations and uneven hardening.
Microsoft’s SharePoint AMSI integration is designed to help prevent malicious web requests from reaching SharePoint endpoints before official fixes are installed. That does not replace patching, but it gives defenders an additional control layer for the gap between disclosure, deployment, and full farm validation.
NeuraCyb's Assessment
CVE-2026-45659 is not a panic-level disclosure, but it is exactly the kind of SharePoint flaw that deserves fast operational handling. The risk is not just the CVSS score; it is the combination of low-privilege access, network reachability, server-side code execution, and a platform that frequently holds sensitive business data. Patch it, verify every server in the farm, and treat broad SharePoint membership as part of the attack surface.
References
