CVE-2026-45659: Microsoft patches a major RCE Vulnerability in SharePoint

27 May 2026

Microsoft SharePoint has been the center for enterprise collaboration and integrates with Active Directory, Microsoft 365, OneDrive, Power Platform, and internal document repositories.

 

Therefore, attackers keep looking for flaws and opportunities to compromise SharePoint to gain a foothold for lateral movement, steal data, deploy ransomware, and maintain their persistence.

 

Through this blog, we will dissect CVE-2026-45659 from a security lens, understanding how exploitation happens and what enterprises need to do to defend.

What is CVE-2026-45659?

CVE-2026-45659 is a remote code execution vulnerability affecting Microsoft SharePoint deployments. This vulnerability in particular is dangerous because it is a deserialization-related flaw that allows attacker-controlled data to be seen as executable objects or instructions by applications.

 

Due to the sensitive nature of the Microsoft SharePoint environments, deserialization bugs can quickly escalate from low-level access to complete compromise of servers.

Why is the SharePoint vulnerability dangerous?

Enterprises rely on SharePoint because it acts as a central document repository, collaboration platform, workflow automation hub, internal knowledge base, and a gateway to sensitive business information. Therefore, compromising SharepPoint can therefore exploiting it can give attackers access to:

 

  • Confidential documents
  • User session tokens
  • Credentials and service accounts

 

It can offer internal network visibility and offer pivoting opportunities into Active Directory environments.

 

In the past, attackers have aggressively weaponized the flaws in SharePoint to carry out massive attacks, especially when there were internet-facing deployments, slow patching processes, and exposed legacy SharePoint infrastructures.

 

This vulnerability is being highly exploited by ransomware operators and advanced threat groups.

 

A common misconception with authenticated flaws is that they require attackers to have significant access, but in reality, low-level credentials can be easily obtained through phishing, credential stuffing, infostealer malware, VPN compromise, insider threats, or third-party access.

 

If SharePoint permissions are broad or service accounts have privileged access, then even minimal access can allow attackers to orchestrate big attacks. This is why this vulnerability has put many enterprises at a major risk.

 

The following are some of the high-impact scenarios that may occur post-exploitation of the vulnerability:

 

  • Ransomware deployment
  • Data theft and extortion
  • Credential dumping
  • Kerberos abuse
  • Lateral movement
  • Backdoor creation
  • Deployment of web shells
  • Domain escalation
  • Malicious service modification

How does an attack using the flaw unfold?

Step 1 – Initial access -Gain access

Attackers gain access by obtaining:

 

  • Stolen credentials
  • VPN Access
  • Low privilege credentials
  • Compromised user and contractor accounts (using phishing)

 

Step 2 – Deliver malicious payload

  • Attacker deploys a specially crafted payload to a vulnerable SharePoint component that causes:
  • The application to see attacker-controlled data as executable
  • Malicious code to be executed

 

Step 3 – Remote code execution

A successful exploitation may allow attackers to

 

  • Execute PowerShell commands
  • Deploy web shells
  • Establish mechanisms for persistence
  • Download additional malware

 

Step 4 – Post exploitation

Once inside the server, the attacker may:

  • Steal sensitive documents
  • Harvest credentials
  • Move laterally across the network
  • Access connected MS services
  • Deploy ransomware

SharkStriker’s recommendations: What should organizations do?

 

Here are some of the actions that organizations should take:

 

  • Apply Microsoft’s security updates addressing CVE-2026-45659 immediately.
  • Verify all the SharePoint servers are updated with the latest May 2026 security patches.
  • Restrict internet exposure through actions like limiting public access, enforcing VPN restrictions, and segmenting SharePoint infrastructure.
  • Restrict SharePoint administrative and privileged access to authorized users only.
  • Hardening service accounts by reducing privileges, rotating credentials, and enforcing least privilege.
  • Improve monitoring by deploying EDR/XDR solutions, PowerShell logging, IIS monitoring, and SIEM correlation rules.
  • Hunt for webshells, suspicious scheduled tasks, unknown services, and unauthorized file modifications.
  • Conduct compromise assessments on internet-facing SharePoint deployments.

Get in Touch With us

We have explored what risk tolerance and risk appetite are and how important they are together in helping businesses align cybersecurity with their business goals. It can help CISOs, and C-suite make informed investment decisions for cybersecurity.

LEARN MORE