Microsoft Patches SharePoint RCE Flaw Enabling RCE Attacks
Summary: Microsoft SharePoint Remote Code Execution Vulnerability CVE-2026-45659 poses a significant risk to organizations running on-premises SharePoint deployments. Patches Rolled out
| OEM | Microsoft |
| Severity | Critical |
| CVSS Score | CVSS:3.1 8.8 / 7.7 |
| CVEs | CVE-2026-45659 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Impact | Remote Code Execution |
Overview: Tracked as CVE-2026-45659 the vulnerability poses a significant risk to organizations running on-premises SharePoint deployments.
Vulnerability Details: Newly disclosed vulnerability, CVE-2026-45659, affects Microsoft SharePoint and could allow attackers to remotely run malicious code on vulnerable SharePoint servers.
The issue is caused by how SharePoint processes or “deserializes” untrusted data. In simple terms, the server incorrectly handles specially crafted data sent by an attacker, which can allow unauthorized commands to run on the system.
If successfully exploited, attackers may be able to:
- Gain control of the SharePoint server
- Access sensitive organizational data
- Deploy malware or ransomware
- Move deeper into enterprise networks
Although Microsoft currently rates exploitation as “less likely,” security researchers warn the vulnerability should still be treated seriously because the attack does not require high complexity and can potentially be executed remotely over the network.
Technical Summary:
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2026-45659 | SharePoint | Network-based (AV:N) with low attack complexity (AC:L) | SharePoint Server via Remote Code Execution |
Affected Versions and Patches
Microsoft has released security updates for all affected SharePoint Server versions. Organizations should prioritize patching immediately.
| Product | KB Article | Build Number |
|---|---|---|
| SharePoint Server Subscription Edition | KB 5002863 | 16.0.19725.20280 |
| SharePoint Server 2019 | KB 5002870 | 16.0.10417.20128 |
| SharePoint Enterprise Server 2016 | KB 5002868 | 16.0.5552.1002 |
Mitigation:
Security teams should immediately apply the latest SharePoint security updates, restrict Site Member access to trusted users, monitor logs for suspicious activity, isolate internet-facing SharePoint servers until patching is verified, and enable WAF protections to block malicious deserialization attempts.
“Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network,” Microsoft said in an advisory released last week.
Although Microsoft currently confirms the vulnerability has not been publicly disclosed or actively exploited, the low complexity and network-accessible attack surface make it a prime candidate for future exploitation once proof-of-concept code circulates.
𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐏𝐚𝐭𝐜𝐡𝐞𝐬 𝐒𝐡𝐚𝐫𝐞𝐏𝐨𝐢𝐧𝐭 𝐑𝐂𝐄 𝐅𝐥𝐚𝐰; 𝐄𝐧𝐚𝐛𝐥𝐞𝐬 𝐋𝐨𝐰-𝐂𝐨𝐦𝐩𝐥𝐞𝐱𝐢𝐭𝐲 𝐑𝐞𝐦𝐨𝐭𝐞 𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐚𝐭𝐢𝐨𝐧
OEM Microsoft SharePoint Remote Code Execution
CVE IDCVE-2026-45659
Severity Critical: CVSS Score8.8 / 7.7
Actively Exploited in the WildImpact
Remote Code Execution (RCE)Attack Vector Network-Based Patch
Status Security Updates Released
Overview: Tracked as CVE-2026-45659 the vulnerability poses a significant risk to organizations running on-premises SharePoint deployments.
Vulnerability Details:
The issue is caused by how SharePoint processes or “deserializes” untrusted data.
In simple terms, the server incorrectly handles specially crafted data sent by an attacker, which can allow unauthorized commands to run on the system.
If successfully exploited, attackers may be able to
Gain control of the SharePoint server
Access sensitive organizational data
Deploy malware or ransomware
Move deeper into enterprise networks
Although Microsoft currently rates exploitation as “less likely,” security researchers warn the vulnerability should still be treated seriously because the attack does not require high complexity and can potentially be executed remotely over the network.
“Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network,” Microsoft said in an advisory released last week.
RakshaOne:
The impacts of the Microsoft SharePoint RCE vulnerability (CVE-2026-45659) can be strongly mapped to the capabilities of RakshaOne from Intrucept
The vulnerability can lead to server compromise, malware deployment, data theft, and lateral movement across enterprise environments.
RakshaOne helps security teams gain centralized visibility across the organization, enabling analysts and SOC managers to quickly understand the extent and context of a SharePoint compromise.
If attackers exploit the vulnerability to gain control of a SharePoint server, RakshaOne can correlate suspicious activity across endpoints, servers, cloud workloads, and network infrastructure using its 1,100+ preconfigured correlation rules and threat analytics capabilities.
Do get in touch with us for more details: