Microsoft patches SharePoint Server RCE flaw that lets authenticated attackers run code remotely
7 min. read 
Published on
Microsoft has released fixes for a remote code execution vulnerability in on-premises SharePoint Server that could let an authenticated attacker run code over the network. The flaw is tracked as CVE-2026-45659 and affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
The official Microsoft Security Update Guide lists the issue as a SharePoint remote code execution vulnerability caused by deserialization of untrusted data. Microsoft rates the bug as Important, while the CVSS score places it in the high-severity range.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The risk comes from the low barrier to exploitation after authentication. An attacker does not need administrator rights, and no user interaction is required after the attacker reaches the vulnerable SharePoint Server.
What CVE-2026-45659 allows
CVE-2026-45659 is tied to unsafe deserialization in Microsoft Office SharePoint. In simple terms, SharePoint may process attacker-controlled serialized data in a way that allows code execution on the server.
The NVD vulnerability entry describes the flaw as deserialization of untrusted data that allows an authorized attacker to execute code over a network. NVD lists the weakness as CWE-502, which covers deserialization of untrusted data.
Because SharePoint servers often store sensitive documents, internal collaboration data, workflows, and business records, successful exploitation can create serious confidentiality, integrity, and availability risks.
| Item | Details |
|---|---|
| CVE | CVE-2026-45659 |
| Product | Microsoft SharePoint Server |
| Vulnerability type | Remote code execution |
| Weakness | Deserialization of untrusted data |
| Required access | Authenticated attacker with low privileges |
| User interaction | None |
| CVSS score | 8.8 |
Affected SharePoint Server versions
The vulnerability affects supported on-premises SharePoint Server releases. Microsoft’s updates cover SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
For SharePoint Server Subscription Edition, Microsoft published KB5002863. That update is listed as build 16.0.19725.20280.
For SharePoint Server 2019, Microsoft published KB5002870. For SharePoint Enterprise Server 2016, Microsoft published KB5002868.
| Product | Update | Build number |
|---|---|---|
| SharePoint Server Subscription Edition | KB5002863 | 16.0.19725.20280 |
| SharePoint Server 2019 | KB5002870 | 16.0.10417.20128 |
| SharePoint Enterprise Server 2016 | KB5002868 | 16.0.5552.1002 |
Why this flaw needs quick patching
Microsoft’s advisory says exploitation is less likely at this stage, but organizations should not treat that as a reason to delay patching. SharePoint Server is a common enterprise target because it often sits close to sensitive documents, user accounts, and internal workflows.
The attack complexity is low, and the attack vector is network-based. The attacker still needs authentication, but low-privileged access may be enough to reach the vulnerable code path.
The Centre for Cybersecurity Belgium advisory also urges organizations to patch quickly, warning that a malicious authenticated user could send crafted data to compromise a vulnerable SharePoint system.
- Attackers do not need administrator privileges.
- The flaw can be triggered over the network.
- No user interaction is required.
- SharePoint servers often expose sensitive internal data.
- Internet-facing SharePoint deployments carry higher exposure.
What administrators should do first
Administrators should inventory all SharePoint Server farms and confirm which versions are running. They should also identify any internet-facing SharePoint instances, partner portals, or externally accessible collaboration sites.
Microsoft maintains a central SharePoint updates page that lists supported SharePoint Server updates and build numbers. Admins can use it to confirm whether their farms have reached the expected patched build.
Patch order matters in SharePoint environments. Teams should test updates where possible, follow Microsoft’s farm update guidance, and run the SharePoint Products Configuration Wizard after installing binaries when required.
- Identify every on-premises SharePoint Server farm.
- Confirm whether the farm runs Subscription Edition, 2019, or 2016.
- Install the correct security update for that version.
- Complete post-update SharePoint configuration steps.
- Verify the farm build number after patching.
- Review logs for unusual activity before and after the update.
Reduce exposure while patching
Organizations that cannot patch immediately should reduce exposure until updates are complete. That can include restricting external access, limiting site membership, tightening firewall rules, and monitoring SharePoint logs for unusual requests.
The official Microsoft Security Update Guide remains the primary source for the CVE status, affected products, exploitability assessment, and update availability.
Security teams should also review whether too many users have Site Member permissions. The sample attack scenario requires authentication, so reducing unnecessary access can lower the number of accounts that could trigger the flaw.
| Mitigation area | Recommended action |
|---|---|
| Access control | Review Site Member permissions and remove unnecessary users |
| Network exposure | Restrict internet-facing SharePoint access where possible |
| Monitoring | Watch for unusual SharePoint requests, process activity, and authentication patterns |
| Web protection | Use WAF controls where available to flag suspicious serialized payloads |
| Patch validation | Confirm the build number after installing updates |
Patch details by version
SharePoint Server Subscription Edition administrators should apply KB5002863 and confirm the farm reaches build 16.0.19725.20280. This version is the active SharePoint Server branch Microsoft continues to position for long-term use.
SharePoint Server 2019 administrators should apply KB5002870 and confirm build 16.0.10417.20128. Organizations still running 2019 should also review their migration plans because legacy SharePoint deployments remain frequent security targets.
SharePoint Enterprise Server 2016 administrators should apply KB5002868 and confirm build 16.0.5552.1002. Older SharePoint farms often carry extra operational risk because they may have customizations, delayed maintenance windows, and broader permission sprawl.
What to monitor after patching
Patching closes the known vulnerability, but administrators should still check for suspicious activity. This matters most for SharePoint servers that were internet-facing before the update or used by many external users.
The NVD vulnerability entry lists the full CVSS vector as AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. That means a successful attack can affect confidentiality, integrity, and availability at a high level.
Admins should review SharePoint Unified Logging Service logs, IIS logs, Windows Event Logs, and endpoint security alerts for unusual patterns. Unexpected child processes spawned by SharePoint worker processes should receive special attention.
- Unusual authenticated requests to SharePoint application pages.
- Unexpected errors tied to serialized data handling.
- New or unknown files in SharePoint web directories.
- Suspicious child processes from IIS or SharePoint processes.
- New administrative users or permission changes.
- Abnormal access from low-privileged accounts.
Why SharePoint Server remains a high-value target
SharePoint Server often holds business-critical files, contracts, HR documents, legal records, intranet content, and internal workflows. Attackers who gain code execution on a SharePoint server may get a valuable foothold inside the enterprise.
On-premises SharePoint environments can also lag behind cloud services in patch speed. Custom solutions, complex farms, and change-control windows can slow updates, giving attackers more time once a vulnerability becomes public.
The Centre for Cybersecurity Belgium advisory says exploitation could compromise the targeted system and affect confidentiality, integrity, and availability. That matches the risk profile administrators should plan around.
Bottom line
CVE-2026-45659 is not listed as a Critical flaw by Microsoft, but it still deserves urgent attention. It is a high-impact SharePoint Server RCE vulnerability with low attack complexity, network reachability, and no user interaction requirement.
Organizations running on-premises SharePoint should install the correct update, verify the build number, review low-privileged site membership, and monitor for signs of suspicious activity.
Microsoft’s SharePoint updates page can help administrators confirm current builds and download the right update path for supported SharePoint Server versions.
FAQ
CVE-2026-45659 is a remote code execution vulnerability in Microsoft SharePoint Server. It stems from deserialization of untrusted data and can allow an authenticated attacker to execute code over a network.
Microsoft rates CVE-2026-45659 as Important. It has a CVSS score of 8.8, which places it in the high-severity range, and organizations should still patch it quickly.
The affected products are SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The issue affects on-premises SharePoint Server deployments.
No. The attack requires authentication, but Microsoft notes that administrator or elevated privileges are not required. A low-privileged authenticated user can be enough.
Admins should install the correct Microsoft security update, verify the SharePoint farm build number, review Site Member permissions, restrict unnecessary external access, and monitor logs for suspicious activity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages