Full Report
Attackers need little more than a valid SharePoint account to execute code on vulnerable on-prem servers
Analysis Summary
# Vulnerability: Microsoft SharePoint Server Remote Code Execution (RCE)
## CVE Details
- **CVE ID:** CVE-2026-45659
- **CVSS Score:** 8.8 (High)
- **CWE:** Insecure Deserialization
## Affected Systems
- **Products:** Microsoft SharePoint Server
- **Versions:**
- SharePoint Server Subscription Edition
- SharePoint Server 2019
- SharePoint Enterprise Server 2016
- **Configurations:** On-premises installations.
## Vulnerability Description
The vulnerability is caused by an insecure deserialization flaw within Microsoft SharePoint Server. Insecure deserialization occurs when untrusted data is used to inflict a "denial of service" or, as in this case, execute arbitrary code. An authenticated attacker can exploit this by sending a specially crafted request to a vulnerable server.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by CISA KEV Catalog).
- **Complexity:** Low.
- **Attack Vector:** Network.
- **Required Privileges:** Low (Authenticated; requires minimum Site Member permissions).
## Impact
- **Confidentiality:** High (Full system compromise/data theft).
- **Integrity:** High (Arbitrary code execution).
- **Availability:** High (Potential for system takeover or disruption).
## Remediation
### Patches
- Microsoft released official patches for this vulnerability in May 2026. Admins should ensure their on-premises SharePoint builds are updated to the latest cumulative update (CU) provided in that cycle.
### Workarounds
- No specific workarounds were provided in the text. CISA mandates that if patches cannot be applied (specifically for federal agencies by the July 4 deadline), the use of the affected system must be discontinued.
## Detection
- **Indicators of Compromise:** Look for unusual process creation originating from the SharePoint application pool (e.g., `w3wp.exe` spawning `cmd.exe` or `powershell.exe`).
- **Detection methods and tools:**
- Review SharePoint ULS logs for deserialization errors.
- Monitor network traffic for unusual POST requests to SharePoint endpoints from accounts with standard "Site Member" permissions.
- Utilize CISA’s Known Exploited Vulnerabilities (KEV) catalog for tracking.
## References
- **CISA KEV Catalog:** hxxps[://]www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45659
- **Microsoft Security Advisory:** hxxps[://]msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659