SharePoint RCE CVE-2026-45659 patched — CVSS 8.8

What happened

Microsoft released a patch in May 2026 for CVE-2026-45659, an RCE (remote code execution — attacker runs arbitrary code on the target server) vulnerability affecting Microsoft SharePoint Server across multiple versions.

Root cause: *deserialization of untrusted data* — the process where an application converts serialized data (binary or XML objects) back into in-memory structures. If that data is malicious, the application executes arbitrary code without knowing it. Classic, persistent attack vector in the .NET ecosystem.

CVSS (standard severity score, 0–10): 8.8. Microsoft rates it "Important" — one tier below Critical, typically meaning authenticated but low-privilege exploitation. No special conditions required. No user interaction. A standard SharePoint user account is enough to trigger the exploit.

Why it matters

SharePoint is not just a document store. In enterprise environments it integrates with Active Directory (AD — centralized Windows identity management), drives critical business workflows, and holds sensitive HR, legal, and finance documentation.

A full SharePoint server compromise means: - Exfiltrating confidential internal documents across the entire organization - Accessing credentials and tokens in memory via tools like *Mimikatz (a tool that extracts passwords and hashes directly from Windows memory)* - Using the server as a pivot point for lateral movement across the internal network

APT (state-sponsored hacker groups) have been targeting SharePoint for years. CVE-2019-0604, another SharePoint RCE via the same deserialization vector, was actively exploited by APT33 and others. CVE-2026-45659 replicates the same technical pattern and will generate the same level of threat-actor interest.

No confirmed in-the-wild exploitation yet — but on-premises SharePoint instances are systematically scanned by threat actors.

What to do

If you run SharePoint Server on-premises:

• Patch immediately — available via Windows Update and the Microsoft Update Catalog
• Confirm affected versions: SharePoint Server 2016, 2019, and Subscription Edition are the standard target range
• Review IIS logs and SharePoint ULS logs for unusual requests carrying serialized payloads
• If you can't patch right now, restrict SharePoint web interface access from untrusted networks via firewall rules or WAF
• Set SIEM alerts (SIEM — centralized log management and threat detection system) for deserialization patterns and repeated HTTP 500 errors on SharePoint endpoints

For SOC (security operations center — team that monitors and responds to security incidents) teams: hunt for child processes spawned from `w3wp.exe` (the IIS worker process) — the canonical IOC (technical indicator that reveals an active attack) for deserialization RCE in SharePoint.

.NET deserialization is a structural problem Microsoft keeps patching around rather than fixing at the root. Until serialized object endpoints are refactored, expect more CVEs in this area. Patch fast, and if your SharePoint is internet-facing without a WAF, that's your highest-priority risk right now.