SharePoint Server RCE Vulnerability Enables Attacks
Microsoft has disclosed a critical security vulnerability in SharePoint Server. This flaw could allow authenticated attackers to remotely execute arbitrary code across multiple versions of the...
Microsoft has disclosed a critical security vulnerability in SharePoint Server. This flaw could allow authenticated attackers to remotely execute arbitrary code across multiple versions of the platform.
Tracked as CVE-2026-45659 and released on May 21, 2026, the flaw poses a significant risk to organizations running on-premises SharePoint deployments.
The vulnerability stems from the deserialization of untrusted data within Microsoft Office SharePoint. When exploited, it enables a network-based attacker to remotely execute code on the affected server.
Microsoft rated the flaw as Important severity, with exploitation currently assessed as “Exploitation Less Likely” — though the low complexity of the attack makes it a notable threat worth immediate attention.
What makes this flaw particularly concerning is its low barrier to exploitation. Any authenticated user with a minimum of Site Member-level permissions can trigger the vulnerability; no administrative or elevated privileges are required.
The attack vector is network-based (AV:N) with low attack complexity (AC:L), meaning an attacker needs no specialized prior knowledge of the target system and can achieve repeatable, reliable exploitation from the internet.
Affected Versions and Patches
Microsoft has released security updates for all affected SharePoint Server versions. Organizations should prioritize patching immediately.
| Product | KB Article | Build Number |
|---|---|---|
| SharePoint Server Subscription Edition | KB 5002863 | 16.0.19725.20280 |
| SharePoint Server 2019 | KB 5002870 | 16.0.10417.20128 |
| SharePoint Enterprise Server 2016 | KB 5002868 | 16.0.5552.1002 |
Mitigations
Security teams should take the following steps immediately:
- Apply the May 21, 2026, security updates for all affected SharePoint versions via the Microsoft Update Catalog or direct download
- Audit site membership permissions and restrict Site Member access to trusted users only
- Monitor SharePoint Server logs for unusual deserialization activity or unexpected code execution attempts
- Isolate internet-facing SharePoint instances until patches are confirmed as applied
- Consider enabling Web Application Firewall (WAF) rules to detect and block malicious deserialization payloads
Although Microsoft currently confirms the vulnerability has not been publicly disclosed or actively exploited, the low complexity and network-accessible attack surface make it a prime candidate for future exploitation once proof-of-concept code circulates.
Organizations relying on SharePoint for internal collaboration, document management, or external portals face elevated exposure if patches are delayed. Security teams are strongly encouraged to treat this as a priority patching event within their next maintenance window.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.