Critical SharePoint Server Vulnerability Exposes Organizations to Remote Code Execution Attacks
On May 21, 2026, Microsoft disclosed a significant security vulnerability in SharePoint Server, identified as CVE-2026-45659. This flaw allows authenticated users to execute arbitrary code remotely, posing a substantial risk to organizations utilizing on-premises SharePoint deployments.
Understanding the Vulnerability
The root of this vulnerability lies in the deserialization of untrusted data within Microsoft Office SharePoint. Deserialization is the process of converting data from a stored format back into its original structure. When this process handles untrusted data improperly, it can lead to security breaches. In this case, the flaw enables network-based attackers to execute code on affected servers remotely.
Microsoft has rated this vulnerability as Important, with the likelihood of exploitation currently assessed as Less Likely. However, the simplicity of the attack increases its potential threat. Any authenticated user with at least Site Member-level permissions can exploit this flaw without requiring administrative rights. The attack is network-based and has low complexity, meaning attackers don’t need specialized knowledge of the target system to execute the exploit reliably over the internet.
Affected Versions and Available Patches
Microsoft has released security updates for all impacted SharePoint Server versions. Organizations are urged to apply these patches promptly to mitigate the risk. The affected versions and corresponding updates are:
– SharePoint Server Subscription Edition: KB 5002863, Build Number 16.0.19725.20280
– SharePoint Server 2019: KB 5002870, Build Number 16.0.10417.20128
– SharePoint Enterprise Server 2016: KB 5002868, Build Number 16.0.5552.1002
Recommended Mitigation Strategies
To protect against potential exploitation, organizations should implement the following measures:
1. Apply Security Updates: Install the May 21, 2026, security updates for all affected SharePoint versions via the Microsoft Update Catalog or direct download.
2. Review and Restrict Permissions: Audit site membership permissions and limit Site Member access to trusted users only.
3. Monitor Server Logs: Keep an eye on SharePoint Server logs for unusual deserialization activities or unexpected code execution attempts.
4. Isolate Vulnerable Instances: Temporarily disconnect internet-facing SharePoint instances until patches are fully applied and verified.
5. Implement Web Application Firewall (WAF) Rules: Set up WAF rules to detect and block malicious deserialization payloads.
Although there are no current reports of this vulnerability being publicly disclosed or actively exploited, its low complexity and network accessibility make it a prime target for future attacks, especially once proof-of-concept code becomes available.
Broader Context and Implications
This vulnerability is part of a series of security challenges affecting Microsoft SharePoint Server. In July 2025, a critical zero-day vulnerability, known as ToolShell (CVE-2025-53770), was actively exploited, allowing unauthenticated attackers to gain full control over vulnerable systems. The rapid weaponization of this exploit within 72 hours of its public disclosure underscored the urgency of timely patching and proactive security measures.
Further investigations revealed that over 17,000 SharePoint servers were exposed to internet-based attacks, with 840 specifically vulnerable to the ToolShell exploit. This widespread exposure highlighted the critical need for organizations to secure their SharePoint deployments and apply patches promptly.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has consistently issued warnings about such vulnerabilities, emphasizing the importance of immediate remediation to prevent potential breaches. The active exploitation of these flaws by various hacker groups, including nation-state actors, demonstrates the high stakes involved.
Conclusion
The disclosure of CVE-2026-45659 serves as a stark reminder of the evolving threat landscape and the necessity for organizations to remain vigilant. By promptly applying security updates, reviewing user permissions, monitoring server activity, and implementing additional protective measures, organizations can significantly reduce their risk exposure. Proactive and comprehensive security practices are essential to safeguard sensitive data and maintain the integrity of organizational systems.
