Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security

High-severity SharePoint RCE bug patched by Microsoft (CVE-2026-45659)

Microsoft has released patches for a high-severity remote code execution vulnerability (CVE-2026-45659) in SharePoint that may be exploited in low-complexity attacks.

SharePoint vulnerability CVE-2026-45659

It affects the SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.

About CVE-2026-45659

CVE-2026-45659 stems from Shareoint deserializing untrusted data, and may be exploited by an authenticated attacker to execute code remotely on a vulnerable SharePoint Server instance – no user interaction required.

“The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component,” Microsoft explained.

In order to exploit it, though, attackers must first successfully authenticate to the server.

SharePoint: A popular target

SharePoint servers are an attractive target for attackers as they often hold sensitive company data and are usually accessible from the internet.

SharePoint has had several critical, actively exploited vulnerabilities over the years, including remote code execution flaws that required no authentication, minimal (such as those required to exploit CVE-2026-45659), or even high privileges .

Deployments have been targeted by nation-state hackers, ransomware operators, and initial access brokers.

Though Microsoft deems CVE-2026-45659 less likely to be exploited, and there is currently no public details about it or a PoC exploit for it, organizations with on-prem SharePoint servers “should still treat this as a material update,” and implement it sooner rather than later.

The vulnerability has been fixed in:

  • SharePoint Server Subscription Edition, build number 16.0.19725.20280
  • SharePoint Server 2019, build number 16.0.10417.20128
  • SharePoint Enterprise Server 2016, build number 16.0.5552.1002.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

More about

Featured news

Resources

Don't miss