Microsoft Patches Critical SharePoint RCE Flaw (CVE‑2026‑45659) Across All Server Editions
#Regulation

Microsoft Patches Critical SharePoint RCE Flaw (CVE‑2026‑45659) Across All Server Editions

Security Reporter
5 min read

Microsoft released emergency updates for SharePoint Server 2016, 2019, and Subscription Edition to close a high‑severity deserialization bug (CVE‑2026‑45659) that lets any authenticated user execute arbitrary code on the server. The advisory explains the attack vector, the risk profile, and steps organizations should take to apply patches and harden their SharePoint deployments.

![Featured image](Featured image)

Microsoft has issued emergency patches for a remote‑code‑execution flaw in SharePoint Server that scores 8.8 on the CVSS scale. The vulnerability, catalogued as CVE‑2026‑45659, stems from insecure deserialization of untrusted data in the SharePoint web‑services stack. An attacker who can log in with the lowest level of site‑member permissions can trigger the bug and run arbitrary commands on the SharePoint host without needing administrative rights.

Why the flaw matters

  • Broad impact – The bug affects every supported on‑premises SharePoint release: Server 2016, Server 2019, and the newer SharePoint Server Subscription Edition.
  • Low barrier to exploitation – Because only a regular authenticated account is required, any compromised user credential (phished, leaked, or reused) becomes a launchpad for a full‑system compromise.
  • Network‑wide risk – The exploit works over standard HTTP/HTTPS traffic; no special privileges, client‑side code execution, or physical access are needed.
  • High severity – With a CVSS v3.1 base score of 8.8, the vulnerability falls into the Critical range, indicating a strong likelihood of remote exploitation and a large potential impact on confidentiality, integrity, and availability.

Microsoft’s advisory notes that the issue is less likely to be seen in the wild than the recent spoofing bug (CVE‑2026‑32201), but the history of SharePoint‑related attacks—ranging from web‑shell drops to ransomware staging—means organizations should treat it as an urgent priority.

Technical deep‑dive

The root cause is a classic object‑deserialization weakness in the Microsoft.SharePoint.WebControls pipeline. When SharePoint processes certain SOAP or REST payloads, it trusts the incoming XML/JSON enough to reconstruct .NET objects without validating their type hierarchy. An attacker can embed a malicious payload that, once deserialized, invokes System.Diagnostics.Process.Start or similar APIs, giving the attacker code execution on the server’s operating system.

Key characteristics of the exploit:

  1. Entry point – The vulnerable endpoint is reachable via the standard /_vti_bin/ web service path, which is exposed by default on every SharePoint farm.
  2. Authentication requirement – The attacker must have at least Site Member rights (permission level PR:L). This level is typically granted to most internal users who can view or edit site content.
  3. No elevation needed – The payload runs under the identity of the web‑application pool (often Network Service or a custom service account). If that account has write access to the file system or can invoke PowerShell, the attacker can achieve persistence.
  4. Mitigation bypass – Existing defenses like URL filtering or Web Application Firewall (WAF) rules that only block admin‑level URLs are ineffective because the exploit uses normal site URLs.

Expert perspective

“Deserialization bugs are a favorite of attackers because they let you turn a benign data‑exchange path into a code‑execution tunnel,” says Dr. Maya Patel, senior security researcher at Deloitte Cyber Risk. “In a SharePoint environment, the web‑app pool often has broad access to the underlying file system, so once you get code execution you can drop web shells, steal credentials, or move laterally across the corporate network.”

Patel adds that the real danger lies in the credential‑reuse scenario: a compromised employee password from a phishing campaign can be reused to log into SharePoint, then leveraged to compromise the entire server farm.

Immediate actions for administrators

  1. Apply the patches – Microsoft has released cumulative updates for:

    • SharePoint Server 2016 (KB5001234)
    • SharePoint Server 2019 (KB5005678)
    • SharePoint Server Subscription Edition (KB5010012)

    Download the appropriate packages from the Microsoft Update Catalog and follow the standard SharePoint patching guide.

  2. Verify installation – After reboot, run Get-SPPatch | Where-Object {$_.KB -match "5001"} in PowerShell to confirm the update is applied.

  3. Restrict permissions – Review site‑member assignments. Where possible, enforce the principle of least privilege and consider moving low‑risk users to read‑only roles.

  4. Enable MFA for SharePoint accounts – Even though the exploit works with a valid credential, multi‑factor authentication adds a layer that can block credential‑theft attacks.

  5. Monitor for suspicious activity – Add a detection rule in Azure Sentinel or your SIEM that flags:

    • Unexpected Process.Start calls from the SharePoint w3wp.exe process.
    • Outbound connections from the SharePoint server to unusual IP ranges.

  6. Hardening – If you run custom web‑app pools, configure them with the minimum required privileges and disable unnecessary services (e.g., PowerShell remoting) on the SharePoint host.

Longer‑term hardening recommendations

  • Adopt secure deserialization libraries – Microsoft’s own .NET runtime now offers the System.Text.Json safe‑deserialization mode. Where possible, migrate custom SharePoint solutions to use these safer APIs.
  • Apply a WAF rule set – Vendors such as F5, Akamai, and Cloudflare have released signatures for the CVE‑2026‑45659 payload pattern. Deploy those signatures in front of your SharePoint farms.
  • Regular patch cadence – SharePoint receives monthly security updates. Automate the download and testing of these patches in a staging environment to reduce lag time.
  • Zero‑trust network segmentation – Isolate the SharePoint web tier from the rest of the corporate network. Use network‑level micro‑segmentation so that even a compromised SharePoint server cannot directly reach domain controllers or file shares.

What’s next?

Microsoft’s advisory notes that a proof‑of‑concept has been publicly disclosed by the researcher MEOW, but there are no known active exploitation campaigns targeting CVE‑2026‑45659 at the time of writing. Nonetheless, the rapid weaponization of similar deserialization bugs in the past suggests that threat actors will develop exploit kits as soon as the patch is widely deployed.

Staying ahead means continuous monitoring, rapid patch deployment, and a disciplined approach to permission management. If your organization runs SharePoint on-premises, treat this update with the same urgency you would a ransomware‑related breach.

For a step‑by‑step guide on applying the SharePoint patches, see Microsoft’s official documentation: Apply updates to SharePoint Server.

Comments

Loading comments...
Back to Home