Full Report
Microsoft has rolled out updates to fix a remote code execution vulnerability impacting SharePoint that could be exploited by bad actors in attacks without requiring any specialized conditions to be met. The vulnerability, tracked as CVE-2026-45659, carries a CVSS score of 8.8. It has been assigned an important severity. "Deserialization of untrusted data in Microsoft Office SharePoint allows
Analysis Summary
# Vulnerability: Microsoft SharePoint Remote Code Execution (RCE) via Unsafe Deserialization
## CVE Details
- **CVE ID**: CVE-2026-45659
- **CVSS Score**: 8.8 (Important)
- **CWE**: Deserialization of Untrusted Data (CWE-502)
## Affected Systems
- **Products**: Microsoft SharePoint Server
- **Versions**:
- SharePoint Server Subscription Edition
- SharePoint Server 2019
- SharePoint Enterprise Server 2016
- **Configurations**: The attacker must be authenticated, possessing a minimum of "Site Member" permissions (Privileges Required: Low).
## Vulnerability Description
The flaw exists due to the insecure deserialization of untrusted data within Microsoft Office SharePoint. When the application processes malformed data sent by a user, it fails to sufficiently validate the input before reconstructing the object. A remote, authenticated attacker can exploit this behavior by sending a specially crafted request over the network to execute arbitrary code in the context of the SharePoint Server.
## Exploitation
- **Status**: Not exploited (currently listed as "less likely to be exploited" by Microsoft); No public PoC mentioned in the article.
- **Complexity**: Low (No specialized conditions or elevated privileges like Administrator are required).
- **Attack Vector**: Network
## Impact
- **Confidentiality**: High (Full access to data on the server)
- **Integrity**: High (Ability to modify system files and data)
- **Availability**: High (Potential to crash services or delete data)
## Remediation
### Patches
Microsoft has released the following security updates as of May 2026:
- **SharePoint Server Subscription Edition**: KB5002863
- **SharePoint Server 2019**: KB5002870
- **SharePoint Enterprise Server 2016**: KB5002868
### Workarounds
- No specific software workarounds were provided in the article. Standard hardening of SharePoint "Site Member" permissions is recommended to limit the attack surface.
## Detection
- **Indicators of Compromise**: Monitor SharePoint logs for unusual activity originating from accounts with "Site Member" permissions, particularly requests involving serialized objects.
- **Detection methods and tools**: Utilize endpoint detection and response (EDR) tools to monitor for suspicious child processes (e.g., cmd.exe or powershell.exe) spawned by the SharePoint worker process (`w3wp.exe`).
## References
- **Vendor Advisory**: hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-45659
- **Technical Article**: hxxps[://]thehackernews[.]com/2026/05/microsoft-patches-sharepoint-rce-flaw[.]html
- **Support Documentation**:
- hxxps[://]support[.]microsoft[.]com/en-us/topic/kb5002863
- hxxps[://]support[.]microsoft[.]com/en-us/topic/kb5002870
- hxxps[://]support[.]microsoft[.]com/en-us/topic/kb5002868