thehackernews.com web signal

Microsoft patches low-privilege SharePoint RCE flaw

microsoft cybersecurity cybersecurity

Key insights

  • CVE-2026-45659 affects three SharePoint Server versions but not SharePoint Online or Microsoft 365, limiting scope to on-premises deployments.
  • The flaw requires only authenticated site membership to exploit, meaning any employee with SharePoint access is a potential attack vector.
  • Unsafe deserialization underpins the vulnerability, a class historically weaponized within weeks of patch-prompted public disclosure.

Why this matters

On-premises SharePoint hosts sensitive enterprise data for thousands of large organizations that have not migrated to cloud, and a CVSS 8.8 flaw with no privilege requirement means a single phished employee account can become a full server compromise. Deserialization-class vulnerabilities in Microsoft products, including Exchange and SharePoint, have been repeatedly weaponized by ransomware operators and nation-state groups within 30-90 days of disclosure, giving defenders a tight window. Security teams managing hybrid estates where cloud and on-prem SharePoint coexist need to verify patching coverage across all three affected versions before automated scanners surface the flaw for opportunistic actors.

Summary

Microsoft patched CVE-2026-45659, a CVSS 8.8 RCE flaw in SharePoint Server that any authenticated site member can trigger with no admin rights and no user interaction required. The vulnerability stems from unsafe deserialization of untrusted data. Deserialization flaws have a consistent track record of rapid weaponization after disclosure, compressing the effective patch window for defenders. Essentially: (Microsoft, enterprise on-prem teams) are in a short race to patch before working exploits surface publicly. - Affects SharePoint Server Subscription Edition, 2019, and 2016. SharePoint Online and Microsoft 365 are not impacted. - CVSS 8.8, network-accessible, no elevated privileges required, no confirmed active exploitation at release. - Any standard employee account is a potential vector for full server code execution. On-premises SharePoint is a recurring ransomware and espionage target, and a low-privilege RCE of this type typically shows up in breach reports within months of disclosure.

Potential risks and opportunities

Risks

  • Organizations running SharePoint Server 2016 without active Software Assurance contracts may lack automated patch delivery, leaving legacy deployments exposed for months after the fix is available.
  • Ransomware groups including Play and Black Basta successors could add CVE-2026-45659 to initial-access playbooks within 30-60 days if a public PoC emerges.
  • Enterprises with externally accessible SharePoint portals face elevated risk from outside attackers who can register as site members without needing prior internal network access.

Opportunities

  • Vulnerability management platforms including Tenable, Qualys, and Rapid7 can accelerate enterprise sales by demonstrating detection and prioritization of CVE-2026-45659 across hybrid SharePoint deployments.
  • Microsoft-focused managed security providers including Optiv and Presidio have a clear upsell moment for patch verification and SharePoint hardening assessments in the next 30-60 days.
  • Microsoft's cloud migration arguments gain a concrete data point: SharePoint Online inherently avoids this class of on-premises RCE, strengthening Azure migration ROI discussions with security-conscious buyers.

What we don't know yet

  • Whether SharePoint Server 2016 deployments, which exited mainstream support in 2020 and require manual update procedures, will receive automated patch delivery under current Microsoft support tiers.
  • No threat actor scanning activity or indicators of compromise were published alongside the CVE, leaving defenders without early-warning telemetry to assess active adversary interest.
  • Timeline to public proof-of-concept exploit code -- comparable SharePoint deserialization flaws like CVE-2019-0604 saw working PoCs within days of patch release.

Originally reported by thehackernews.com

Read the original article →

Original headline: Microsoft Patches High-Severity SharePoint RCE CVE-2026-45659 Across On-Prem Server Versions — No Elevated Privileges Required