Microsoft has released an out-of-band security update to address a remote code execution vulnerability in SharePoint Server. Tracked as CVE-2026-45659, the issue received a CVSS severity rating of 8.8. While Microsoft notes that unauthorized parties are currently less likely to leverage this specific flaw, the decision to issue a patch outside the standard monthly update cycle indicates the need for prompt evaluation and remediation by security teams.
Vulnerability mechanics and impact
CVE-2026-45659 centers on the insecure deserialization of untrusted data in Microsoft Office SharePoint. Deserialization vulnerabilities occur when an application processes malformed or unverified data, which can allow an authenticated user to remotely run code on the host server.
According to Microsoft, an unauthorized party requires only minimum Site Member permissions to interact with this flaw. The process involves low complexity, requires no user interaction, and could significantly impact system confidentiality, integrity, and availability. The vulnerability was discovered and reported by a security researcher known as MEOW.
Assessing the environment risk
Currently, there is no public proof-of-concept validation code, nor is there evidence of this vulnerability being used in unauthorized activity. However, SharePoint’s role in document management and enterprise collaboration makes it a sensitive system containing intellectual property, employee records, and project data. Because these systems frequently integrate with Active Directory, Teams, and Outlook, unauthorized access to SharePoint can help lateral movement across a network.
Historically, threat actors have focused heavily on on-premises SharePoint environments. Groups such as Linen Typhoon, Violet Typhoon, and ransomware operators like Storm-2603 have previously leveraged SharePoint vulnerabilities to access sensitive data and initiate extortion campaigns. In July 2025, a zero-day vulnerability chain known as ToolShell affected multiple organizations, including government agencies, universities, corporations, and the US Nuclear Weapons Agency.
Recommended actions
Maintaining the security posture of on-premises servers requires consistent patching and monitoring. Internet-facing servers with legacy integrations, excessive permissions, or outdated software present elevated risks.
We recommend security teams apply the CVE-2026-45659 patch immediately. Additionally, organizations can strengthen their defense by verifying that the Antimalware Scan Interface (AMSI) and related endpoint protection tools are active and correctly configured on all on-premises SharePoint servers.
(Note: The historical context and initial reporting for this vulnerability were detailed by Jai Vijayan, a technology journalist with over 25 years of experience covering cybersecurity, critical infrastructure protection, and enterprise technologies.)