Microsoft has patched a newly disclosed remote code execution (RCE) vulnerability affecting:

  • Microsoft SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Enterprise Server 2016

The vulnerability is tracked as:

  • CVE-2026-45659
  • CVSS Score: 8.8

and is classified as an important severity security issue.

According to Microsoft, the flaw stems from:

  • Deserialization of untrusted data

within Microsoft Office SharePoint.

Technical Details

The vulnerability allows attackers to:

  • Execute arbitrary code remotely
  • Exploit SharePoint over the network
  • Abuse unsafe object deserialization mechanisms

Importantly, successful exploitation:

  • Does not require administrator privileges
  • Requires only:
  • Authenticated access
  • Minimum Site Member permissions

Microsoft stated:

“An authenticated attacker, who has a minimum of Site Member permissions, could execute code remotely on the SharePoint Server.”

Affected Versions

Security updates have been released for:

  • SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Enterprise Server 2016

Organizations running unsupported or unpatched SharePoint deployments may remain vulnerable.

Discovery and Reporting

Microsoft credited a security researcher known as:

  • MEOW

for discovering and responsibly disclosing the vulnerability.

Exploitation Risk

Although Microsoft currently assesses the flaw as:

  • “Less likely to be exploited”

security experts warn that SharePoint vulnerabilities have historically become high-value targets for:

  • Nation-state actors
  • Ransomware groups
  • Initial access brokers
  • Enterprise-focused threat actors

SharePoint servers are frequently internet-facing and often deeply integrated into enterprise authentication and collaboration infrastructure.

Previous SharePoint Exploitation

The patch follows another recent SharePoint security issue:

  • CVE-2026-32201
  • SharePoint spoofing vulnerability
  • Confirmed exploited in the wild

The recurring exploitation of SharePoint flaws continues to highlight the platform’s attractiveness to attackers targeting enterprise environments.

Potential Impact

Successful exploitation of CVE-2026-45659 could allow attackers to:

  • Execute arbitrary code on SharePoint servers
  • Gain persistence within enterprise environments
  • Access sensitive internal documents
  • Move laterally across connected systems
  • Escalate attacks into broader network compromise

Mitigation Recommendations

Organizations are strongly advised to:

Apply Security Updates Immediately

  • Install the latest SharePoint security patches released by Microsoft

Restrict SharePoint Exposure

  • Limit internet exposure where possible
  • Enforce network segmentation

Review User Permissions

  • Audit Site Member permissions
  • Remove unnecessary access rights

Monitor for Suspicious Activity

  • Investigate unusual SharePoint requests
  • Monitor authentication anomalies
  • Review server logs for unexpected deserialization-related activity

Harden SharePoint Environments

  • Enable multi-factor authentication
  • Restrict privileged service accounts
  • Conduct regular vulnerability assessments

Conclusion

CVE-2026-45659 adds to the growing list of critical SharePoint vulnerabilities capable of enabling remote compromise of enterprise infrastructure.

Even though exploitation currently requires authenticated access, the low privilege requirement significantly increases the risk in environments where attackers have already obtained user credentials through phishing, credential theft, or prior compromise.

Organizations using on-premises SharePoint should prioritize patching immediately to reduce exposure to potential future exploitation campaigns.