BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi
BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
SharePoint RCE CVE-2026-45659 patched — CVSS 8.8
Back to homeCVE

SharePoint RCE CVE-2026-45659 patched — CVSS 8.8

Microsoft patches CVE-2026-45659 in SharePoint Server — RCE via untrusted data deserialization, CVSS 8.8, no special attack conditions required.

  1. Home
  2. ›
  3. CVE
  4. ›
  5. SharePoint RCE CVE-2026-45659 patched — CVSS 8.8
by Gorka El Bochi Morillo
·
2 min read
·May 26, 2026

What happened

Microsoft released a patch in May 2026 for CVE-2026-45659, an RCE (remote code execution — attacker runs arbitrary code on the target server) vulnerability affecting Microsoft SharePoint Server across multiple versions.

Root cause: *deserialization of untrusted data* — the process where an application converts serialized data (binary or XML objects) back into in-memory structures. If that data is malicious, the application executes arbitrary code without knowing it. Classic, persistent attack vector in the .NET ecosystem.

CVSS (standard severity score, 0–10): 8.8. Microsoft rates it "Important" — one tier below Critical, typically meaning authenticated but low-privilege exploitation. No special conditions required. No user interaction. A standard SharePoint user account is enough to trigger the exploit.

Why it matters

SharePoint is not just a document store. In enterprise environments it integrates with Active Directory (AD — centralized Windows identity management), drives critical business workflows, and holds sensitive HR, legal, and finance documentation.

A full SharePoint server compromise means: - Exfiltrating confidential internal documents across the entire organization - Accessing credentials and tokens in memory via tools like *Mimikatz (a tool that extracts passwords and hashes directly from Windows memory)* - Using the server as a pivot point for lateral movement across the internal network

APT (state-sponsored hacker groups) have been targeting SharePoint for years. CVE-2019-0604, another SharePoint RCE via the same deserialization vector, was actively exploited by APT33 and others. CVE-2026-45659 replicates the same technical pattern and will generate the same level of threat-actor interest.

No confirmed in-the-wild exploitation yet — but on-premises SharePoint instances are systematically scanned by threat actors.

What to do

If you run SharePoint Server on-premises:

  • Patch immediately — available via Windows Update and the Microsoft Update Catalog
  • Confirm affected versions: SharePoint Server 2016, 2019, and Subscription Edition are the standard target range
  • Review IIS logs and SharePoint ULS logs for unusual requests carrying serialized payloads
  • If you can't patch right now, restrict SharePoint web interface access from untrusted networks via firewall rules or WAF
  • Set SIEM alerts (SIEM — centralized log management and threat detection system) for deserialization patterns and repeated HTTP 500 errors on SharePoint endpoints

For SOC (security operations center — team that monitors and responds to security incidents) teams: hunt for child processes spawned from `w3wp.exe` (the IIS worker process) — the canonical IOC (technical indicator that reveals an active attack) for deserialization RCE in SharePoint.

.NET deserialization is a structural problem Microsoft keeps patching around rather than fixing at the root. Until serialized object endpoints are refactored, expect more CVEs in this area. Patch fast, and if your SharePoint is internet-facing without a WAF, that's your highest-priority risk right now.

What to do

  • Apply the CVE-2026-45659 SharePoint Server patch immediately.
  • Alert on child processes spawned from `w3wp.exe` in IIS logs.
  • Block untrusted network access to SharePoint until fully patched.

Share this story

Help more people discover BBLabs News.

SharePoint RCE CVE-2026-45659 patched — CVSS 8.8
VerticalDownload image
LinkedInXWhatsApp

Interested in CVE?

Subscribe to this stream and get the most relevant news every day — no spam, no noise.

Subscribe

Related articles

Destacado
CVE1 jun 2026·2 min

Microsoft removes GitHub account over public zero-day drops

Microsoft removes GitHub account of researcher who publicly dropped zero-days without coordinated disclosure, then publicly endorses CVD.

  • Document timestamps and vendor responses before publishing any zero-day.
  • Use neutral platforms for disclosure if the vendor ignores your 90-day window.
  • Review GitHub's Acceptable Use Policy before publishing Microsoft vuln research.
Gorka El Bochi Morillo
Leer artículo
CVE31 may 2026·2 min

Emergency SharePoint patch: update now

Microsoft issued an out-of-band SharePoint patch, signaling active exploitation or critical severity outside the normal Patch Tuesday cycle.

Leer artículo
CVE26 may 2026·2 min

CVE-2026-31635 DirtyDecrypt: public PoC for Linux kernel LPE

Public PoC released for CVE-2026-31635 (DirtyDecrypt), a Linux kernel local privilege escalation flaw discovered by Zellic and V12.

Leer artículo

Want to get news like this every day?

Browse all articles
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi