InSEKurity of the Week (CW27/2026): Microsoft SharePoint Server Deserialization RCE (CVE-2026-45659)
A deserialization flaw in Microsoft SharePoint Server lets an authenticated low-privilege user run code on the server -- now added to the CISA KEV catalog under confirmed active exploitation
This week in our InSEKurity of the Week series: a deserialization of untrusted data vulnerability in Microsoft SharePoint Server that lets an authenticated attacker holding nothing more than Site Member permissions — the standard contributor role handed out to ordinary collaborators — execute arbitrary code on the SharePoint server over the network. Microsoft quietly patched CVE-2026-45659 in its May 2026 security updates and initially rated it “Exploitation Less Likely.” That assessment did not survive contact with reality: at the start of July, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog with a three-day remediation deadline for federal agencies, citing evidence of active exploitation. SharePoint is one of the most widely deployed collaboration platforms in the enterprise, and it sits in the same painful lineage as the 2025 “ToolShell” campaigns that ransomware crews used to ransack on-prem farms. If you run on-premises SharePoint, this one belongs at the top of your queue.
🚨 Summary
- CVE ID: CVE-2026-45659
- CVSS 3.1 Score: 8.8 (High)
- CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - CWE: CWE-502 (Deserialization of Untrusted Data)
- Affected Software: Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 (on-premises)
- Attack Vector: Network (remote) — crafted request to a SharePoint server code path that deserializes attacker-controlled data
- Authentication Required: Yes — any authenticated user with minimum Site Member permissions (PR:L)
- User Interaction: None
- Impact: Remote code execution in the context of the SharePoint web application — confidentiality, integrity, and availability fully compromised
- Patch Status: ✅ Available (Microsoft, May 2026 security updates)
- Published: May 22, 2026 (NVD / MSRC)
- Exploitation Status: Active exploitation confirmed by CISA at the start of July 2026 (Microsoft’s original assessment was “Exploitation Less Likely”)
- CISA KEV: ✅ Listed — added July 1, 2026, federal remediation deadline July 4, 2026 (BOD 26-04)
🖥️ What is Microsoft SharePoint Server?
Microsoft SharePoint Server is Microsoft’s on-premises platform for document management, intranet portals, team collaboration, and business-process automation. Organizations use it to host internal sites, share and co-author documents, run workflows, and expose line-of-business data through web parts and custom applications. It is built on ASP.NET and Internet Information Services (IIS), and it stores its content and configuration in SQL Server. SharePoint remains deeply embedded in enterprise and government environments — often holding an organization’s most sensitive internal documents — and many of those farms are still run on-premises rather than moved to SharePoint Online.
Because SharePoint is a large, extensible ASP.NET application that accepts and processes complex user-supplied objects (list data, web-part configuration, workflow state, view definitions), it has a broad attack surface for object-injection and deserialization bugs. The .NET framework historically shipped serializers — BinaryFormatter, LosFormatter/ObjectStateFormatter (ViewState), SoapFormatter, and DataContractSerializer used unsafely — that reconstruct arbitrary object graphs from a byte stream. When such a serializer is pointed at untrusted input, a well-chosen “gadget chain” can turn deserialization into command execution. SharePoint has repeatedly been on the wrong end of this class of bug, and CVE-2026-45659 is the latest example.
Typical Use Cases
- Intranet and collaboration portals: internal sites, team spaces, and document libraries for day-to-day collaboration.
- Document management: versioned storage, co-authoring, and records management for sensitive corporate documents.
- Business process automation: workflows, forms, and approval flows built on SharePoint lists and libraries.
- Line-of-business applications: custom web parts and app pages that surface enterprise data to employees.
- Extranet / partner access: externally reachable sites shared with vendors, contractors, and partners.
Because a real-world SharePoint farm routinely has hundreds or thousands of authenticated users — employees, contractors, and sometimes external collaborators — the “authenticated, Site Member” precondition is far lower than it sounds. Any one of those accounts, or any credential an attacker phishes or reuses, is enough to reach the vulnerable code path.
🔍 Technical Analysis
Vulnerability Description
CVE-2026-45659 is a deserialization of untrusted data (CWE-502) vulnerability in Microsoft SharePoint Server. According to Microsoft and the NVD, an authenticated attacker can send crafted input to an affected SharePoint code path that deserializes untrusted data, causing the server to reconstruct attacker-controlled objects and ultimately execute code over the network in the context of the SharePoint web application.
The critical properties are captured in the CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H:
- Network reachable (AV:N) and no user interaction (UI:N): the attacker acts directly against the server; no victim needs to click anything.
- Low attack complexity (AC:L): Microsoft’s own advisory language notes that an attacker “does not require significant prior knowledge of the system and can achieve repeatable success” against the vulnerable component — i.e. a working payload is reliable, not a one-in-a-thousand race.
- Low privileges required (PR:L): only Site Member permissions are needed. That is the standard contributor role, not an administrator, so the bar is “any normal user account on the farm.”
Microsoft initially assessed this as “Exploitation Less Likely” and the CVE was even reported to have been inadvertently omitted from the first cut of the May 2026 update notes before being documented. The KEV listing at the start of July flipped that risk picture entirely.
Root Cause Analysis
- Unsafe deserialization of untrusted data (CWE-502): an affected SharePoint code path passes attacker-influenced input into a .NET deserializer that reconstructs arbitrary object types rather than a narrow, expected schema.
- Object-injection into a gadget chain: because the deserializer instantiates attacker-chosen types and invokes their callbacks (constructors,
OnDeserialization, property setters,TypeConverters), a crafted object graph can drive the runtime toward command or code execution — the classic .NET “gadget chain” pattern. - Execution in a privileged web context: the SharePoint worker process (
w3wp.exe) runs the application pool identity with broad access to content databases and the server; code execution there means full compromise of the SharePoint application and its data. - Low authorization gate: the vulnerable operation is reachable by any authenticated principal with Site Member rights, so the deserialization sink is exposed to essentially the entire user population of a farm.
- Shared component across supported on-prem builds: the same server code ships across Subscription Edition, 2019, and 2016, so every supported on-premises release is in scope until patched.
The precise vulnerable endpoint and the exact gadget chain for CVE-2026-45659 are not publicly documented at the time of writing, and responsible public analysis stops short of naming a specific payload. What is established is the vulnerability class (CWE-502), the privilege precondition (Site Member), and the impact (RCE) — which is more than enough to prioritize patching.
Attack Vector
At a conceptual level, exploitation of a SharePoint deserialization RCE follows this pattern. The snippet below is illustrative only — it does not contain a working CVE-2026-45659 exploit and will not trigger the bug; it shows the shape of the attack so defenders understand what to hunt for.
# Step 1: Obtain any authenticated SharePoint account with Site Member
# rights. In real intrusions this comes from phishing, password reuse,
# a prior foothold, or an over-shared external/guest account.
# -> The precondition is "a normal user", not "an administrator".
# Step 2: Authenticate to the SharePoint web front end and establish a
# session (form-based, NTLM, or Kerberos depending on farm config).
curl -s -c cookies.txt \
--ntlm -u 'CONTOSO\\jdoe:Password123!' \
'https://sharepoint.example.com/_layouts/15/start.aspx'
# Step 3: Deliver a crafted request to the affected code path so that
# SharePoint deserializes an attacker-controlled object graph. A real
# exploit carries a .NET gadget-chain payload (the kind ysoserial.net
# generates) in the field that reaches the vulnerable deserializer.
# -> Illustrative placeholder only; NOT a functional payload.
curl -s -b cookies.txt \
-X POST 'https://sharepoint.example.com/<affected-endpoint>' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data '__CRAFTED_SERIALIZED_OBJECT=<gadget-chain-here>'
# Step 4: On success, the SharePoint worker process (w3wp.exe) executes
# the attacker's code as the application-pool identity. Attackers
# typically drop a web shell into the LAYOUTS/ISAPI web root or spawn a
# command interpreter for hands-on-keyboard activity.
A simplified protocol-level view of the attack:
Attacker (authenticated Site Member) Victim (on-prem SharePoint Server / IIS)
| |
| authenticate to web front end (NTLM/Kerberos/forms) |
|------------------------------------------------------->| valid low-priv session
| |
| crafted request to affected code path, |
| carrying a serialized .NET object graph |
|------------------------------------------------------->| SharePoint deserializes
| | untrusted data (CWE-502)
| | -> gadget chain fires
| | -> code runs in w3wp.exe
| |
|<-- web shell / command output / C2 beacon ------------<| RCE as app-pool identity
v v
Exploitation in the Wild
- May 2026 — Microsoft ships the fix in its May 2026 security updates and rates the flaw “Exploitation Less Likely.” Reporting notes the CVE was initially omitted from the first cut of the update guide before being documented.
- Late June 2026 — Security researchers and press track CVE-2026-45659 alongside the broader wave of SharePoint deserialization issues, warning that authenticated RCE bugs in on-prem SharePoint are prime targets given the 2025 ToolShell precedent.
- July 1, 2026 (CW27) — CISA adds CVE-2026-45659 to the Known Exploited Vulnerabilities catalog, citing evidence of active exploitation, and sets a federal remediation deadline of July 4, 2026 under BOD 26-04.
- Early July 2026 — Multiple vendors (The Hacker News, SecurityWeek, Help Net Security) amplify the KEV listing. CISA did not publish attacker attribution or IoCs; the group Storm-2603, known for weaponizing SharePoint flaws for ransomware since 2025, is the kind of actor this access enables, though no public source directly ties it to this specific CVE.
Post-Exploitation Impact
- Code execution on the SharePoint server: the attacker runs commands as the application-pool identity inside
w3wp.exe, gaining hands-on control of the web tier. - Web shell persistence: dropping an
.aspxweb shell into the SharePoint web root (LAYOUTS/ISAPI) is the classic follow-on, giving durable authenticated-independent access — exactly the ToolShell playbook. - Content-database and data theft: the SharePoint identity can read and modify content databases, exfiltrating every document, list, and site the farm hosts.
- Machine key / secret theft: extraction of ASP.NET machine keys and service-account secrets enables forging authentication material and pivoting deeper — and means patching alone does not evict an attacker who already has your keys.
- Lateral movement into the domain: SharePoint farms run under service accounts with rights across SQL Server and often Active Directory, making the server a strong launch point toward domain compromise.
- Ransomware staging: a compromised, business-critical collaboration server is a high-value staging point for encryption and extortion.
⚠️ Impact Assessment
Immediate Impact
- Authenticated RCE, but a very low bar: “Site Member” is a role most employees and many external collaborators already hold; treat it as broadly reachable, not a meaningful barrier.
- Confirmed active exploitation: CISA’s KEV listing means this is being used against real targets right now — not a theoretical risk.
- High-value target: SharePoint stores an organization’s internal documents and often bridges to SQL Server and Active Directory.
- On-prem farms are exposed: SharePoint Online is not affected, but the large installed base of on-prem Subscription Edition / 2019 / 2016 farms is.
- ToolShell muscle memory: attackers already have tooling and tradecraft for compromising on-prem SharePoint from the 2025 campaigns.
Affected Versions
| Platform | Vulnerable | Fixed Build | KB |
|---|---|---|---|
| SharePoint Server Subscription Edition | All pre-May 2026 builds | 16.0.19725.20280 | KB5002863 |
| SharePoint Server 2019 | All pre-May 2026 builds | 16.0.10417.20128 | KB5002870 |
| SharePoint Enterprise Server 2016 | All pre-May 2026 builds | 16.0.5552.1002 | KB5002868 |
| SharePoint Online (Microsoft 365) | Not affected | — | — |
Always cross-reference the authoritative build and KB numbers for your exact product in MSRC CVE-2026-45659 before deploying. SharePoint updates frequently require both the language-independent and language-dependent packages plus the post-install PSConfig/product-configuration step to fully apply.
Affected Environments
- On-premises SharePoint farms: any organization running Subscription Edition, 2019, or 2016 that has not applied the May 2026 (or later) security update.
- Externally reachable SharePoint: extranets and partner portals exposed to the internet are at elevated risk because the “authenticated” precondition can be met by any provisioned external account.
- Large user populations: farms with thousands of contributors, guests, or federated identities dramatically widen who can reach the vulnerable path.
- Government and enterprise intranets: the sectors where on-prem SharePoint remains most entrenched and where the data is most sensitive.
- Managed / hosted SharePoint: shared infrastructure multiplies the blast radius across tenants.
Attacker Profiles
- Ransomware operators: on-prem SharePoint has been a direct route to data theft and encryption throughout 2025-2026 (e.g. Storm-2603-style activity).
- Initial-access brokers: authenticated-to-RCE on a widely deployed enterprise server is exactly the kind of access sold on criminal markets.
- APT / espionage groups: SharePoint’s document trove is a high-value intelligence target for stealthy, long-dwell actors.
- Malicious insiders and low-privilege users: because only Site Member rights are needed, an ordinary employee or contractor account is sufficient.
- Opportunistic operators: once exploit tooling circulates, internet-exposed farms will be swept en masse.
🛡️ Mitigation Strategies
Immediate Actions (Priority 1) ⚡
-
Apply the May 2026 (or later) SharePoint security update to every on-prem farm, then run the product-configuration step:
# Run in the SharePoint Management Shell as a farm administrator. # 1) Install the security update package(s) on every server in the # farm (WFE and app servers), then run PSConfig to finalize. # 2) PSConfig applies schema/config changes so the patch is fully # effective across the farm. Get-SPProduct -Local # inventory installed products / patch level # After installing the KB on each server, finalize with: PSConfig.exe -cmd upgrade -inplace b2b -wait -cmd applicationcontent -install -cmd installfeatures -
Confirm the running build meets or exceeds the fixed version for your edition:
# Report the farm build number and compare against the fixed builds: # Subscription Edition >= 16.0.19725.20280 (KB5002863) # SharePoint 2019 >= 16.0.10417.20128 (KB5002870) # SharePoint 2016 >= 16.0.5552.1002 (KB5002868) (Get-SPFarm).BuildVersion # Cross-check the core assembly version on each server: Get-Item 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.dll' | Select-Object Name, @{n='FileVersion';e={$_.VersionInfo.FileVersion}} -
Restrict and scrutinize who holds Site Member (and higher) rights, especially external/guest accounts:
# Enumerate members of the default "Members" group across site # collections and prune stale or over-privileged external accounts. Get-SPSite -Limit All | ForEach-Object { $web = $_.RootWeb $grp = $web.AssociatedMemberGroup [PSCustomObject]@{ Site = $_.Url; Group = $grp.Name; Users = ($grp.Users | Select-Object -Expand UserLogin) -join '; ' } $web.Dispose() } -
Reduce internet exposure of on-prem SharePoint until patched — put externally reachable farms behind a VPN, reverse proxy with pre-authentication, or IP allow-listing where feasible.
-
Rotate ASP.NET machine keys and service-account secrets if compromise is suspected. As with ToolShell, patching does not evict an attacker who already extracted your keys:
# Rotate the farm's machine keys after patching if you cannot rule # out prior compromise, then restart IIS across the farm. Update-SPMachineKey -Identity 'https://sharepoint.example.com' iisreset /noforce
Detection Measures 🔍
CISA did not publish CVE-specific IoCs. Hunt for the behavioral signatures of SharePoint web-tier compromise — web-shell drops and the SharePoint worker process spawning command interpreters.
# 1) Hunt for newly created / modified .aspx/.ashx web shells in the
# SharePoint web roots (a classic post-exploitation artifact).
$paths = @(
'C:\inetpub\wwwroot\wss\VirtualDirectories',
'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS',
'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI'
)
Get-ChildItem $paths -Recurse -Include *.aspx,*.ashx,*.asmx -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-30) } |
Select-Object FullName, LastWriteTime
# 2) Review IIS logs for suspicious authenticated POSTs to _layouts /
# ISAPI endpoints around the time of interest.
Get-ChildItem 'C:\inetpub\logs\LogFiles' -Recurse -Filter *.log |
Select-String -Pattern 'POST .*(_layouts|_vti_bin|ISAPI).*aspx' |
Select-Object -Last 200
// 3) Microsoft Defender XDR / Sentinel: the SharePoint worker process
// (w3wp.exe) or OWSTIMER spawning a shell is a strong RCE signal.
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ ("w3wp.exe", "owstimer.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "csc.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
Additional hunting:
- Watch for anomalous outbound connections from SharePoint servers (C2 beaconing, tool download).
- Alert on new scheduled tasks, services, or local accounts created on SharePoint hosts.
- Enable PowerShell Script Block Logging and ASP.NET/IIS Failed Request Tracing on SharePoint servers to capture deserialization-triggered errors and post-exploitation scripting.
- Deploy vendor IDS/IPS signatures for CVE-2026-45659 as they become available.
Long-term Security Improvements
- Patch SLAs for internet-facing app servers: SharePoint front ends deserve a 24-72h critical-CVE SLA, not the default monthly cadence.
- Least privilege on collaboration platforms: routinely prune Site Member and external/guest access; treat “authenticated” as a large, hostile population.
- Isolate and pre-authenticate external SharePoint: never expose an on-prem farm raw to the internet; front it with pre-authentication and segmentation.
- Harden the identity boundary: run SharePoint service accounts with least privilege in SQL Server and AD so a web-tier compromise does not become domain compromise.
- Assume-breach for on-prem SharePoint: given the ToolShell precedent, rehearse machine-key rotation, web-shell hunting, and content-database integrity checks as a standing playbook.
- Plan the migration conversation: for many organizations, moving off unmanaged on-prem SharePoint is the durable way to shrink this recurring attack surface.
🎯 Why is this Critical?
- Confirmed active exploitation: CISA’s KEV listing means CVE-2026-45659 is being used against real targets, not a hypothetical risk.
- A very low privilege bar: only Site Member rights are required — a role most employees and many external guests already hold.
- RCE on a crown-jewel server: SharePoint holds an organization’s internal documents and bridges into SQL Server and Active Directory.
- Huge on-prem installed base: Subscription Edition, 2019, and 2016 farms are ubiquitous across enterprise and government.
- ToolShell lineage: attackers already have proven tradecraft and tooling for compromising on-prem SharePoint, so weaponization is fast.
- Patch-alone is insufficient after compromise: as with the 2025 campaigns, stolen machine keys survive patching and require key rotation and eviction.
- Microsoft under-called it: an “Exploitation Less Likely” rating that turned into a KEV listing is a reminder to prioritize on real-world signal, not vendor probability labels.
🚀 Timeline and Disclosure
- 2026-05-22 — NVD publishes CVE-2026-45659; Microsoft documents the deserialization RCE (initially reported as inadvertently omitted from the first cut of the May 2026 update notes) and rates it “Exploitation Less Likely.”
- May 2026 — Microsoft ships fixed builds for SharePoint Subscription Edition (16.0.19725.20280), 2019 (16.0.10417.20128), and 2016 (16.0.5552.1002).
- Late June 2026 — Security press and researchers track the bug amid ongoing concern about authenticated SharePoint deserialization RCEs following the 2025 ToolShell wave.
- 2026-07-01 (CW27) — CISA adds CVE-2026-45659 to the Known Exploited Vulnerabilities catalog citing evidence of active exploitation, with a July 4, 2026 federal remediation deadline under BOD 26-04.
- Early July 2026 — Vendors amplify the KEV listing; CISA publishes no attacker attribution or IoCs.
🔗 Resources and References
- CVE: CVE-2026-45659
- NVD: NVD — CVE-2026-45659
- MSRC Advisory: Microsoft Security Update Guide — CVE-2026-45659
- CWE: CWE-502: Deserialization of Untrusted Data
- CISA KEV Catalog: Known Exploited Vulnerabilities
💼 SEKurity Supports You
CVE-2026-45659 is a textbook reminder that “authenticated” is not a security boundary when the required privilege is a role your entire workforce already holds. A single deserialization sink turns any Site Member — an employee, a contractor, an over-shared guest — into code execution on a server that stores your most sensitive documents and bridges into SQL Server and Active Directory. We help organizations find these object-injection and deserialization sinks before attackers do, validate that on-prem SharePoint farms are genuinely patched (build number and PSConfig applied, not just “the KB installed”), and stress-test whether a web-tier compromise would be detected before it turned into data theft or ransomware. Our web application and Active Directory penetration testing map exactly the chain this CVE shortcuts: from a normal user account to server code execution to domain-wide impact.
Our Services
- Penetration Testing: Web applications, mobile apps (Android & iOS), SAP systems, Active Directory
- Large-Scale Attacks: Perimeter testing, IT infrastructure testing, Red Team engagements
- Security Awareness: Phishing campaigns, hacking demonstrations
Act now — before attackers do.
Contact:
🌐 Website: www.sekurity.de
📧 Inquiries: www.sekurity.de/kontakt
📱 LinkedIn: SEKurity GmbH
Your SEKurity Team — Your Trusted Adversaries
The security of your collaboration platforms is our drive.
Sources
- CVE-2026-45659 Detail — NVD
- Microsoft SharePoint Server Remote Code Execution Vulnerability — MSRC
- SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation — The Hacker News
- CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability — SecurityWeek
- High-severity SharePoint RCE bug patched by Microsoft (CVE-2026-45659) — Help Net Security
- CVE-2026-45659: Microsoft SharePoint Server Deserialization RCE (CISA KEV) — Threat-Modeling.com
- CVE-2026-45659, SharePoint RCE That Needs More Than a Patch Ticket — Penligent
- CWE-502: Deserialization of Untrusted Data — MITRE
- Known Exploited Vulnerabilities Catalog — CISA
About the Author
SEKurity Team
Offensive Security Experts
The SEKurity GmbH team consists of experienced penetration testers, security researchers, and cybersecurity consultants. Under the motto 'Your Trusted Adversaries', we support organizations in evaluating their IT security from an attacker's perspective and improving it.
Related Articles
InSEKurity of the Week (CW16/2026): Windows IKE Extensions RCE (CVE-2026-33824)
Critical pre-auth double free in the Windows IKE Service Extensions (IKEEXT.dll) lets remote attackers reach SYSTEM over UDP/500 and UDP/4500 -- wormable, public PoC already online
InSEKurity of the Week (CW17/2026): Windows TCP/IP IPv6 + IPsec RCE (CVE-2026-33827)
Critical pre-auth race condition in the Windows TCP/IP stack lets remote attackers run code over IPv6 against any IPsec-enabled host -- wormable, no credentials, no user interaction
InSEKurity of the Week (CW19/2026): Palo Alto PAN-OS User-ID Portal Unauthenticated Root RCE (CVE-2026-0300)
A buffer overflow in the PAN-OS User-ID Authentication Portal lets a remote, unauthenticated attacker pop a root shell on PA-Series and VM-Series firewalls -- CVSS 9.3, CISA KEV, actively exploited by a likely state-sponsored cluster (CL-STA-1132)