Full Report
AL26-015 - Critical vulnerability impacting Microsoft SharePoint Server – CVE-2026-45659
Analysis Summary
# Vulnerability: Critical RCE in Microsoft SharePoint Server via Deserialization
## CVE Details
- **CVE ID:** CVE-2026-45659
- **CVSS Score:** Critical (Specific numerical score not provided in text, but categorized as "Critical")
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** Microsoft SharePoint Server
- **Versions:**
- Microsoft SharePoint Enterprise Server 2016 (Versions before 16.0.5552.1002)
- Microsoft SharePoint Server 2019 (Versions before 16.0.10417.20128)
- Microsoft SharePoint Server Subscription Edition (Versions before 16.0.19725.20280)
- **Configurations:** Impacts on-premises instances, with heightened risk for internet-facing deployments.
## Vulnerability Description
CVE-2026-45659 is a Deserialization of Untrusted Data flaw (CWE-502). The vulnerability occurs when the application processes maliciously crafted data without sufficient validation. An attacker can leverage this flaw to trigger the execution of arbitrary code within the context of the SharePoint Server.
## Exploitation
- **Status:** **Exploited in the wild.** Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on July 1, 2026.
- **Complexity:** Low (Implicitly low as it is accessible to low-privileged attackers).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Remote Code Execution allowed).
- **Integrity:** High.
- **Availability:** High.
## Remediation
### Patches
Update to the following fixed versions immediately:
- **SharePoint Enterprise Server 2016:** 16.0.5552.1002
- **SharePoint Server 2019:** 16.0.10417.20128
- **Sharepoint Server Subscription Edition:** 16.0.19725.20280
### Workarounds
- **Migration:** SharePoint Server 2016 and 2019 reach **End of Life on July 14, 2026**. Transitioning to a supported version (Subscription Edition or SharePoint Online) is the primary long-term mitigation.
- **Network Isolation:** Isolate web-facing applications and restrict access to SharePoint instances where possible.
- **System Hardening:** Harden operating systems and applications according to vendor best practices.
## Detection
- **Indicators of Compromise:** Active exploitation has been reported; organizations should monitor for unusual service account activity or unexpected child processes (e.g., cmd.exe or powershell.exe) spawning from SharePoint processes.
- **Methods:** Audit on-premises SharePoint logs for deserialization errors or unauthorized access attempts from low-privileged accounts.
## References
- Microsoft Advisory: hxxps://msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-45659
- Canadian Centre for Cyber Security Alert: hxxps://www[.]cyber[.]gc[.]ca/en/alerts-advisories/al26-015-critical-vulnerability-impacting-microsoft-sharepoint-server-cve-2026-45659
- CISA KEV Catalog: hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45659
- NVD Entry: hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2026-45659