Microsoft has patched a newly disclosed remote code execution (RCE) vulnerability affecting:
- Microsoft SharePoint Server Subscription Edition
- SharePoint Server 2019
- SharePoint Enterprise Server 2016
The vulnerability is tracked as:
- CVE-2026-45659
- CVSS Score: 8.8
and is classified as an important severity security issue.
According to Microsoft, the flaw stems from:
- Deserialization of untrusted data
within Microsoft Office SharePoint.
Technical Details
The vulnerability allows attackers to:
- Execute arbitrary code remotely
- Exploit SharePoint over the network
- Abuse unsafe object deserialization mechanisms
Importantly, successful exploitation:
- Does not require administrator privileges
- Requires only:
- Authenticated access
- Minimum Site Member permissions
Microsoft stated:
“An authenticated attacker, who has a minimum of Site Member permissions, could execute code remotely on the SharePoint Server.”
Affected Versions
Security updates have been released for:
- SharePoint Server Subscription Edition
- SharePoint Server 2019
- SharePoint Enterprise Server 2016
Organizations running unsupported or unpatched SharePoint deployments may remain vulnerable.
Discovery and Reporting
Microsoft credited a security researcher known as:
- MEOW
for discovering and responsibly disclosing the vulnerability.
Exploitation Risk
Although Microsoft currently assesses the flaw as:
- “Less likely to be exploited”
security experts warn that SharePoint vulnerabilities have historically become high-value targets for:
- Nation-state actors
- Ransomware groups
- Initial access brokers
- Enterprise-focused threat actors
SharePoint servers are frequently internet-facing and often deeply integrated into enterprise authentication and collaboration infrastructure.
Previous SharePoint Exploitation
The patch follows another recent SharePoint security issue:
- CVE-2026-32201
- SharePoint spoofing vulnerability
- Confirmed exploited in the wild
The recurring exploitation of SharePoint flaws continues to highlight the platform’s attractiveness to attackers targeting enterprise environments.
Potential Impact
Successful exploitation of CVE-2026-45659 could allow attackers to:
- Execute arbitrary code on SharePoint servers
- Gain persistence within enterprise environments
- Access sensitive internal documents
- Move laterally across connected systems
- Escalate attacks into broader network compromise
Mitigation Recommendations
Organizations are strongly advised to:
Apply Security Updates Immediately
- Install the latest SharePoint security patches released by Microsoft
Restrict SharePoint Exposure
- Limit internet exposure where possible
- Enforce network segmentation
Review User Permissions
- Audit Site Member permissions
- Remove unnecessary access rights
Monitor for Suspicious Activity
- Investigate unusual SharePoint requests
- Monitor authentication anomalies
- Review server logs for unexpected deserialization-related activity
Harden SharePoint Environments
- Enable multi-factor authentication
- Restrict privileged service accounts
- Conduct regular vulnerability assessments
Conclusion
CVE-2026-45659 adds to the growing list of critical SharePoint vulnerabilities capable of enabling remote compromise of enterprise infrastructure.
Even though exploitation currently requires authenticated access, the low privilege requirement significantly increases the risk in environments where attackers have already obtained user credentials through phishing, credential theft, or prior compromise.
Organizations using on-premises SharePoint should prioritize patching immediately to reduce exposure to potential future exploitation campaigns.