Microsoft has shipped a patch for CVE-2026-45659, a remote code execution vulnerability in SharePoint Server carrying a CVSS score of 8.8. The flaw requires no specialized exploitation conditions, meaning a network-accessible attacker with basic authentication can leverage it to execute arbitrary code on affected SharePoint installations.
The update was distributed via Windows Update and the Microsoft Security Update Guide and applies to multiple SharePoint Server versions currently in mainstream or extended support.
Vulnerability Details
CVE-2026-45659 has been classified as an important-severity RCE flaw by Microsoft's Security Response Center. The CVSS 8.8 score reflects the high impact on confidentiality, integrity, and availability, alongside the relatively low barrier to exploitation — the attack requires no specialized conditions beyond network access and authenticated access to the SharePoint instance.
Microsoft's advisory notes that exploitation would allow an attacker who successfully exploits the vulnerability to execute code in the context of the SharePoint application pool service account. Depending on the SharePoint farm configuration, this could yield significant access to documents, site collections, user data, and connected services.
No in-the-wild exploitation has been publicly confirmed at the time of patching.
Affected Versions
Microsoft has issued patches for all currently supported SharePoint Server branches. Organizations running SharePoint on-premises should identify their installed version and apply the corresponding cumulative update or security patch through Windows Server Update Services, Microsoft Update, or direct download from the Microsoft Update Catalog.
SharePoint Online (Microsoft 365) deployments are not affected — Microsoft manages patching of the cloud service directly.
Recommended Actions
Organizations running on-premises SharePoint deployments should prioritize this patch given the CVSS 8.8 rating and the absence of exploitation prerequisites beyond authentication. The recommended steps are:
- Identify all on-premises SharePoint Server instances across the environment, including staging and development systems
- Apply the security update from the Microsoft Update Catalog or WSUS as soon as possible
- Verify patch application using Get-SPProduct in SharePoint Management Shell or by checking the build number in Central Administration
- Review SharePoint application pool accounts and ensure they follow the principle of least privilege — limiting blast radius if the vulnerability were exploited before patching
- Monitor SharePoint ULS logs for unusual activity or error patterns that could indicate exploitation attempts
Broader Context
SharePoint Server vulnerabilities remain a persistent target for threat actors, particularly ransomware groups and espionage actors targeting enterprise collaboration infrastructure. The platform stores sensitive documents, project files, and often serves as an integration point for business workflows, making it an attractive target for both data theft and lateral movement.
CISA's Known Exploited Vulnerabilities catalog has historically added SharePoint RCE flaws shortly after patches are released, particularly when exploitation begins. Organizations subject to CISA's Binding Operational Directive 22-01 should treat CVE-2026-45659 as a priority remediation item.
Source: The Hacker News