Microsoft SharePoint Remote Code Execution (CVE‑2026‑45659) – Critical RCE Across Server Versions
What It Is — Microsoft disclosed a remote code execution (RCE) flaw in SharePoint Server (all supported on‑prem versions). The vulnerability stems from insecure deserialization of untrusted data, allowing an attacker to execute arbitrary code on the SharePoint host without any special prerequisites.
Exploitability — The flaw is actively exploitable; proof‑of‑concept code has been publicly released. CVSS v3.1 base score 8.8 (High). No known weaponized ransomware or data‑theft campaigns yet, but the low barrier to exploitation makes rapid weaponization likely.
Affected Products — Microsoft SharePoint Server 2013, 2016, 2019, and SharePoint Subscription Edition (on‑prem). Cloud‑based SharePoint Online is not directly affected but may inherit risk through hybrid deployments.
TPRM Impact — Organizations that rely on SharePoint for document collaboration, intranet portals, or workflow automation could see a supply‑chain breach if a third‑party vendor’s SharePoint instance is compromised. An attacker could pivot to downstream services, exfiltrate proprietary data, or embed ransomware.
Recommended Actions —
- Deploy Microsoft’s May 2026 security updates for all SharePoint servers immediately.
- Verify that patch deployment succeeded via SCCM/WSUS reporting.
- Conduct a rapid inventory of all on‑prem SharePoint instances, including legacy deployments still in use.
- Review network segmentation; restrict inbound traffic to SharePoint web front ends to trusted subnets only.
- Initiate a threat‑hunt for anomalous PowerShell or DLL loading activity on SharePoint servers.
Source: The Hacker News