Microsoft Fixes SharePoint RCE Vulnerability Affecting On-Prem Servers

Microsoft has released security updates to fix a high-severity remote code execution vulnerability in Microsoft SharePoint Server that could allow attackers to compromise vulnerable servers. This flaw could be exploited by attackers with only minimal access privileges, potentially enabling malicious code execution without requiring administrator rights.

CVE‑2026‑45659 is a remote code execution (RCE) vulnerability that affects Microsoft SharePoint Server. It results from the platform improperly handling untrusted data during the deserialization process, which can allow attackers to execute malicious code on the server. Due to its high severity rating (CVSS score of 8.8), this flaw is considered a significant security risk with the potential to seriously impact affected systems.

How does the SharePoint RCE vulnerability work?

To exploit this vulnerability, an attacker must first be authenticated, but only minimal access (such as site member privileges) is required. Once inside, the attack can be carried out over the network with little effort and without user interaction. If successful, it can allow the attacker to run malicious code, access or alter sensitive information, and potentially gain full control of the affected SharePoint server.

“In a network-based attack, an authenticated attacker, who has a minimum of Site Member permissions [Privileges Required: Low], could execute code remotely on the SharePoint Server,” Microsoft explained. “The attack complexity is low because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.”

This remote code execution vulnerability (RCE) was discovered by a security researcher called MEOW. It affects on‑premises SharePoint versions, including SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.

Microsoft has released security updates to address this issue across all affected versions of SharePoint Server. The company has warned that a successful exploit could affect the confidentiality, availability, and integrity of the system.

Why does SharePoint remain a prime target for attackers?

At the time the vulnerability was disclosed, there was no evidence of active attacks or publicly available exploit code, and Microsoft assessed that it was less likely to be exploited, though the risk was not eliminated. However, security experts emphasize that SharePoint remains a highly attractive target due to the sensitive data it often holds, and similar vulnerabilities in the past have been rapidly turned into real-world attacks.

SharePoint servers often serve as central platforms for storing documents, managing workflows, and enabling collaboration, so a security breach can have far‑reaching consequences across an organization. Moreover, even attackers with limited access rights can take advantage of this vulnerability to elevate their privileges and potentially move deeper into the network.

How can organizations reduce the risk of exploitation?

Organizations should act quickly to reduce the risk from this vulnerability by applying Microsoft’s security updates as soon as possible. It’s also important to keep SharePoint servers fully updated, especially those exposed to the internet, to help close the security gap before attackers can take advantage of it.

Additionally, companies should strengthen their overall security posture by limiting user permissions to only what is necessary, regularly reviewing access rights, and monitoring system logs for unusual activity. It’s highly recommended to implement extra protections (such as network segmentation, web application firewalls, and security monitoring), which can also help detect or block suspicious behavior and reduce the chances of a successful attack.