Deserialization Vulnerability in Microsoft Office SharePoint
CVE-2026-45659

8.8HIGH

Key Information:

Badges

🔥 Trending now📈 Trended📈 Score: 2,920💰 Ransomware👾 Exploit Exists🟡 Public PoC🦅 CISA Reported📰 News Worthy

What is CVE-2026-45659?

CVE-2026-45659 is a critical vulnerability affecting Microsoft Office SharePoint, a platform widely used for collaboration, document management, and storing business data. This vulnerability arises from a flaw in the deserialization process of untrusted data, which potentially allows an authorized attacker to execute arbitrary code over a network. If exploited, it can enable attackers to manipulate the application environment and gain unauthorized control over sensitive data and system resources. The risk is heightened due to SharePoint's integral role in organizational workflows and its common deployment in enterprise settings, making it a significant target for cyber threats.

Potential impact of CVE-2026-45659

  1. Unauthorized Code Execution: The most direct consequence of this vulnerability is the ability for attackers to execute malicious code without proper authorization. This could lead to the takeover of affected systems, creating opportunities to further compromise organizational networks.

  2. Data Breach Risks: With the exploitation of this vulnerability, attackers could gain access to sensitive information stored within SharePoint. This exposure could result in severe data breaches, jeopardizing confidential business data and potentially leading to regulatory penalties.

  3. Disruption of Business Operations: Successful exploitation may lead to significant operational disruptions. An attacker could manipulate SharePoint’s functionality or deploy ransomware, affecting user access and collaboration, ultimately impacting productivity and business continuity.

CISA has reported CVE-2026-45659

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-45659 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Affected Version(s)

Microsoft SharePoint Enterprise Server 2016 x64-based Systems 16.0.0 < 16.0.5552.1002

Microsoft SharePoint Server 2019 x64-based Systems 16.0.0 < 16.0.10417.20128

Microsoft SharePoint Server Subscription Edition x64-based Systems 16.0.0 < 16.0.19725.20280

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

Microsoft said exploitation was 'less likely' ... but CISA just added SharePoint RCE to KEV list

Attackers need little more than a valid SharePoint account to execute code on vulnerable on-prem servers

8 hours ago

CISA: Microsoft SharePoint RCE flaw now actively exploited

CISA warned on Wednesday that attackers have begun exploiting a high-severity Microsoft SharePoint remote code execution vulnerability patched in May.

12 hours ago

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation

CISA added CVE-2026-45659 SharePoint Server RCE to KEV following confirmed exploitation, requiring U.S. agencies to patch by July 4, 2026.

17 hours ago

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🦅

    CISA Reported

  • 💰

    Used in Ransomware

  • 📈

    Vulnerability started trending

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by It Security News

  • Vulnerability published

  • Vulnerability Reserved

.