SharePoint CVE-2026-45659 Remote Code Execution Flaw

On May 21, 2026, A highly critical security flaw was discovered affecting Microsoft SharePoint environments. Tracked as CVE-2026-45659, this vulnerability is a Remote Code Execution (RCE) flaw with a CVSS 3.1 base score of 8.8 (High Severity).

Rooted in the dangerous mishandling of untrusted data, this deserialization vulnerability presents a substantial risk to enterprise networks. While Microsoft has currently marked the exploitability as “Less Likely,” the low barrier to entry for an attacker makes immediate patching an absolute necessity for security and IT teams worldwide.

At its core, CVE-2026-45659 is classified under CWE-502: Deserialization of Untrusted Data. To understand the gravity of this flaw, one must look at how SharePoint processes incoming network requests and data objects.

Serialization is the process of converting complex data structures or object states into a format that can be easily stored or transmitted over a network. Deserialization is the reverse process, where the structured data is rebuilt into functional objects in the application’s memory.

When an application natively deserializes data from an untrusted source without proper verification, sanitation, or cryptographic signing, it opens the door for malicious manipulation.

CVE-2026-45659: Urgent SharePoint Patch

In the case of CVE-2026-45659, an attacker can craft a malicious serialized payload and send it to a vulnerable Microsoft Office SharePoint server. When the SharePoint engine attempts to parse and deserialize this payload, the malicious object is instantiated in the server’s memory.

This forces the server to execute arbitrary commands embedded within the payload, effectively handing over control of the underlying system to the threat actor. Because the code execution happens in the context of the SharePoint service account, the attacker can leverage this position to pivot further into the enterprise network.

The Common Vulnerability Scoring System (CVSS) framework assigns this flaw an 8.8 Base Score, reflecting its severe nature. A granular look at the vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reveals why security operations centers (SOCs) must prioritize this alert:

Attack Vector: Network (AV:N): The vulnerability is exploitable remotely over the internet or internal network boundaries. The attacker does not need physical access or local shell access to the target machine.
Attack Complexity: Low (AC:L): Exploiting this deserialization flaw does not require advanced, mathematically complex, or highly timing-dependent techniques. A reliable, repeatable exploit chain can be developed without specialized knowledge of the target’s unique environment configurations.
Privileges Required: Low (PR:L): This is arguably the most critical metric. The attack does not require Administrator or Farm Admin privileges. Any authenticated user with minimum “Site Member” permissions can trigger the vulnerability. In large organizations, compromised low-level credentials (e.g., via phishing) can easily be weaponized to launch this attack.
User Interaction: None (UI:N): The exploit executes silently upon the server processing the payload. No administrator or victim user needs to click a link or open a file for the attack to succeed.
Impact (Confidentiality, Integrity, Availability: High): A successful RCE means the attacker can view sensitive corporate data, modify or destroy files, and disrupt the availability of the SharePoint service entirely.

While Microsoft’s telemetry currently indicates that there are no public exploits or active zero-day exploitation campaigns in the wild (“Exploitation Less Likely”), the history of SharePoint vulnerabilities suggests that threat actors will quickly reverse-engineer the patch.

Advanced Persistent Threat (APT) groups and ransomware operators frequently target SharePoint and Microsoft Exchange servers because they hold the “crown jewels” of corporate data and reside deep within trusted network segments.

If exploited, an attacker could use CVE-2026-45659 to deploy web shells, exfiltrate sensitive intellectual property, manipulate financial records stored on SharePoint intranets, or use the server as a launching pad for ransomware deployment across the active directory domain. The fact that only “Site Member” access is required highlights the danger of insider threats or poorly secured guest accounts.

Affected Versions and Patch

Microsoft has released out-of-band and scheduled security updates to address this deserialization weakness across multiple generations of SharePoint. Administrators must verify their current build numbers and apply the corresponding Knowledge Base (KB) updates immediately.

The following product families are confirmed vulnerable:

Microsoft SharePoint Server Subscription Edition
- Patch: KB 5002863
- Secure Build Number: 16.0.19725.20280
Microsoft SharePoint Server 2019
- Patch: KB 5002870
- Secure Build Number: 16.0.10417.20128
Microsoft SharePoint Enterprise Server 2016
- Patch: KB 5002868
- Secure Build Number: 16.0.5552.1002
- Note: This KB applies to both the Standard and Enterprise editions of the 2016 server.

Remediation

Patching is the only definitive way to eliminate the vulnerability posed by CVE-2026-45659. Security teams should treat this deployment as a critical priority. Furthermore, organizations should adopt a defense-in-depth approach to mitigate the broader risks of deserialization attacks:

Immediate Patch Deployment: Utilize centralized patch management tools to deploy KB 5002863, KB 5002870, or KB 5002868 during the next available maintenance window.
Network Segmentation: Ensure that SharePoint servers are properly segmented from highly sensitive internal networks and not directly exposed to the public internet without passing through a Web Application Firewall (WAF) or secure gateway.
Zero Trust and Least Privilege: Audit Active Directory and SharePoint permission groups. Ensure users only hold the permissions necessary for their roles, limiting the pool of accounts that possess the “Site Member” privileges required to execute this attack.
Behavioral Monitoring: Configure Endpoint Detection and Response (EDR) solutions to monitor the w3wp.exe (IIS worker process) for suspicious child processes, which often indicate successful post-exploitation RCE activity.