Which SharePoint versions are affected by CVE-2026-45659?

The affected versions include SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.

How can organizations mitigate the risk associated with CVE-2026-45659?

Organizations should promptly apply the security patches released by Microsoft to address CVE-2026-45659 and protect their SharePoint servers from potential exploitation.

Microsoft Releases Critical Patch for SharePoint RCE Vulnerability CVE-2026-45659

Microsoft has issued patches for a severe remote code execution vulnerability in SharePoint Server, urging organizations to update their systems immediately to prevent potential attacks.

Published: May 26, 2026

Share this on:

Executive Summary

In May 2026, Microsoft addressed a critical remote code execution vulnerability, CVE-2026-45659, in SharePoint Server versions 2016, 2019, and Subscription Edition. This flaw arises from the deserialization of untrusted data, allowing authenticated attackers with minimal permissions to execute arbitrary code remotely without user interaction. The vulnerability has a CVSS score of 8.8, indicating high severity. (thehackernews.com)

The prompt release of patches underscores the importance of timely updates, especially given SharePoint's role in storing sensitive corporate data. Organizations are urged to apply these updates promptly to mitigate potential exploitation risks. (helpnetsecurity.com)

Why This Matters Now

The exploitation of deserialization vulnerabilities like CVE-2026-45659 is on the rise, posing significant risks to organizations. Immediate patching is crucial to prevent potential breaches and maintain data integrity.

Attack Path Analysis

An authenticated attacker exploited a deserialization vulnerability in SharePoint (CVE-2026-45659) to execute arbitrary code remotely. This allowed the attacker to escalate privileges within the SharePoint environment, move laterally to other systems, establish command and control channels, exfiltrate sensitive data, and potentially disrupt services.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

An authenticated attacker exploited a deserialization vulnerability in SharePoint (CVE-2026-45659) to execute arbitrary code remotely.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-45659
CVSS 8.8
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Affected Products:
Microsoft SharePoint Server Subscription Edition – All versions prior to the latest update
Microsoft SharePoint Server 2019 – All versions prior to the latest update
Microsoft SharePoint Enterprise Server 2016 – All versions prior to the latest update
Exploit Status:
no public exploit
References:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659 https://nvd.nist.gov/vuln/detail/CVE-2026-45659

MITRE ATT&CK® Techniques

Initial Access

T1210

Exploitation of Remote Services

Execution

T1203

Exploitation for Client Execution

Defense Evasion

T1078

Valid Accounts

Initial Access

T1133

External Remote Services

Initial Access

T1190

Exploit Public-Facing Application

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

Control ID: 6.2

The exploitation of CVE-2026-45659 indicates a failure to apply critical security patches in a timely manner, exposing systems to known vulnerabilities.

NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments

Control ID: 500.05

The incident suggests inadequate vulnerability assessments and penetration testing, as the deserialization flaw was not identified and mitigated proactively.

DORA – ICT Risk Management Framework

Control ID: Article 6

The breach highlights deficiencies in the ICT risk management framework, particularly in identifying and mitigating risks associated with software vulnerabilities.

CISA ZTMM 2.0 – Data Security

Control ID: Pillar 3: Data

The exploitation of the vulnerability underscores the need for robust data security measures to prevent unauthorized access and potential data breaches.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reveals shortcomings in implementing appropriate cybersecurity risk management measures to protect network and information systems from known threats.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

SharePoint RCE vulnerability CVE-2026-45659 threatens financial institutions using Microsoft collaboration platforms, enabling unauthorized access to sensitive customer data and regulatory compliance violations.

Health Care / Life Sciences

Critical SharePoint deserialization flaw exposes healthcare organizations to remote code execution attacks, potentially compromising patient records and violating HIPAA compliance requirements.

Government Administration

Government agencies face significant risk from SharePoint RCE vulnerability, with potential for unauthorized access to classified information and disruption of critical administrative operations.

Higher Education/Acadamia

Educational institutions heavily reliant on SharePoint for collaboration face exposure to remote code execution attacks, threatening student data privacy and research integrity.

Sources

Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versionshttps://thehackernews.com/2026/05/microsoft-patches-sharepoint-rce-flaw.html
Verified

Microsoft Security Update Guide - CVE-2026-45659https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659

Verified

NVD - CVE-2026-45659https://nvd.nist.gov/vuln/detail/CVE-2026-45659

Verified

Frequently Asked Questions

CVE-2026-45659 is a critical remote code execution vulnerability in Microsoft SharePoint Server caused by deserialization of untrusted data, allowing authenticated attackers to execute arbitrary code remotely.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to escalate privileges, move laterally, establish command and control channels, exfiltrate data, and disrupt services within the SharePoint environment.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit the deserialization vulnerability may have been constrained, reducing the likelihood of successful remote code execution.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges within the SharePoint environment would likely have been constrained, reducing the scope of unauthorized access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement to other systems within the network would likely have been constrained, reducing the potential spread of the attack.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's establishment of command and control channels would likely have been constrained, reducing the ability to maintain persistent access.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's exfiltration of sensitive data would likely have been constrained, reducing the amount of data that could be extracted.

Impact (Mitigations)

The attacker's ability to disrupt services by modifying or deleting critical data would likely have been constrained, reducing the potential impact on service availability.

Impact at a Glance

Affected Business Functions

Document Management
Collaboration Tools
Intranet Services

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential exposure of sensitive corporate documents and internal communications.

Recommended Actions

• Implement Zero Trust Segmentation to limit lateral movement within the network.
• Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows.
• Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities.
• Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
• Regularly update and patch systems to mitigate known vulnerabilities like CVE-2026-45659.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Microsoft Releases Critical Patch for SharePoint RCE Vulnerability CVE-2026-45659

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-45659

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploitation of Remote Services

Exploitation for Client Execution

Valid Accounts

External Remote Services

Exploit Public-Facing Application

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Data Security

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Health Care / Life Sciences

Government Administration

Higher Education/Acadamia

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads