ScoutGet the App

SharePoint patched for RCE CVE-2026-45659

Published by The Daily Scout

What happened

- Microsoft pushed a security update fixing a SharePoint remote‑code‑execution vulnerability that requires prior authentication to exploit. - The bug is tracked as CVE‑2026‑45659 and was scored at 8.8 under CVSS, marking it high severity for collaboration platforms. - The advisory warns that authenticated RCE on collaboration systems can expose document stores and service accounts, prompting segmentation and service‑account reviews. (helpnetsecurity.com) (thehackernews.com)

Why it matters

1/ Microsoft has patched a high-severity SharePoint server flaw, CVE-2026-45659, that can let an authenticated attacker execute code remotely on vulnerable on-premises systems. Microsoft lists it in the Security Update Guide as a SharePoint remote code execution issue. (msrc.microsoft.com) 2/ The key detail is that this is post-authentication, not unauthenticated. Microsoft’s description, as cited by Help Net Security, says the bug involves deserialization of untrusted data and can be exploited by an attacker who has already authenticated to the server. (helpnetsecurity.com) 3/ That matters because “requires authentication” does not mean low impact. In many real environments, SharePoint is reachable by employees, contractors, federated users, and service accounts. If one of those identities is compromised, the attacker may be able to move from account access to server-side code execution. This is an inference from the vulnerability’s auth requirement and SharePoint’s role in enterprise environments. (helpnetsecurity.com) 4/ Microsoft and downstream coverage rate the flaw as CVSS 8.8, which puts it in high-severity territory. Help Net Security reported Microsoft assessed the attack complexity as low, meaning exploitation does not require unusual conditions once the attacker has valid access. (helpnetsecurity.com) 5/ The affected products are SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, according to Help Net Security’s summary of Microsoft’s advisory and Microsoft’s support documentation for the May 12, 2026 SharePoint 2019 security update. (helpnetsecurity.com) 6/ The patched build numbers cited by Help Net Security are: - SharePoint Server Subscription Edition: 16.0.19725.20280 - SharePoint Server 2019: 16.0.10417.20128 - SharePoint Enterprise Server 2016: 16.0.5552.1002 (helpnetsecurity.com) 7/ Microsoft’s SharePoint 2019 support page confirms build 16.0.10417.20128 for the May 12, 2026 security update package and says the update resolves a Microsoft SharePoint Server remote code execution vulnerability. (support.microsoft.com) 8/ One practical wrinkle: Microsoft’s SharePoint 2019 update page says customers using SharePoint Workflow Manager must install KB5002799 to the farm before installing the cumulative update. It also says Classic Workflow Manager users need to enable a debug flag to continue using it. That is an implementation detail administrators should check before rollout. (support.microsoft.com) 9/ Why defenders should care: Help Net Security notes SharePoint servers often hold sensitive company data and are frequently accessible from the internet. That makes an authenticated RCE on SharePoint more than just a server bug; it can become an entry point into document repositories, workflows, and connected services. (helpnetsecurity.com) 10/ There is also a prioritization point here. Help Net Security said Microsoft viewed CVE-2026-45659 as less likely to be exploited and that there were no public details or proof-of-concept exploit at the time of publication. Even so, the same report said organizations with on-premises SharePoint should treat it as a material update. (helpnetsecurity.com) 11/ In plain terms, the risk question is not only “can this be exploited?” but “what can the SharePoint server reach if it is exploited?” On many networks, that includes file stores, internal web apps, search infrastructure, and privileged service accounts. That is an inference based on typical SharePoint deployment patterns, not a direct Microsoft quote. (helpnetsecurity.com) 12/ Immediate checks for defenders: - patch supported SharePoint servers to the fixed builds, - review who can authenticate to those servers, - audit service-account privileges tied to SharePoint, - check segmentation between SharePoint and backend systems, - monitor for unusual code execution or admin activity after patching. Those steps follow from the affected products, auth requirement, and SharePoint’s role as a collaboration platform. (helpnetsecurity.com) 13/ The broader lesson is familiar: internal collaboration systems are still high-value attack surfaces. A flaw that starts with a valid login can still end with full server execution, especially when the application sits close to sensitive documents and business workflows. (helpnetsecurity.com) 14/ For teams running on-prem SharePoint, the next concrete step is to verify the installed version against Microsoft’s May 2026 security updates and confirm any workflow dependencies before deployment. Microsoft says the updates are available through Microsoft Update, the Update Catalog, and the Download Center. (support.microsoft.com)

Key numbers

  • The bug is tracked as CVE‑2026‑45659 and was scored at 8.8 under CVSS, marking it high severity for collaboration platforms.
  • (helpnetsecurity.com) (thehackernews.com) 1/ Microsoft has patched a high-severity SharePoint server flaw, CVE-2026-45659, that can let an authenticated attacker execute code remotely on vulnerable on-premises systems.
  • (msrc.microsoft.com) 2/ The key detail is that this is post-authentication, not unauthenticated.
  • (helpnetsecurity.com) 3/ That matters because “requires authentication” does not mean low impact.

What happens next

  • If one of those identities is compromised, the attacker may be able to move from account access to server-side code execution.
  • (helpnetsecurity.com) 14/ For teams running on-prem SharePoint, the next concrete step is to verify the installed version against Microsoft’s May 2026 security updates and confirm any workflow dependencies before deployment.

Sources

Quick answers

What happened in SharePoint patched for RCE CVE-2026-45659?

Microsoft pushed a security update fixing a SharePoint remote‑code‑execution vulnerability that requires prior authentication to exploit. The bug is tracked as CVE‑2026‑45659 and was scored at 8.8 under CVSS, marking it high severity for collaboration platforms. The advisory warns that authenticated RCE on collaboration systems can expose document stores and service accounts, prompting segmentation and service‑account reviews. (helpnetsecurity.com) (thehackernews.com)

Why does SharePoint patched for RCE CVE-2026-45659 matter?

1/ Microsoft has patched a high-severity SharePoint server flaw, CVE-2026-45659, that can let an authenticated attacker execute code remotely on vulnerable on-premises systems. Microsoft lists it in the Security Update Guide as a SharePoint remote code execution issue. (msrc.microsoft.com) 2/ The key detail is that this is post-authentication, not unauthenticated. Microsoft’s description, as cited by Help Net Security, says the bug involves deserialization of untrusted data and can be exploited by an attacker who has already authenticated to the server. (helpnetsecurity.com) 3/ That matters because “requires authentication” does not mean low impact. In many real environments, SharePoint is reachable by employees, contractors, federated users, and service accounts. If one of those identities is compromised, the attacker may be able to move from account access to server-side code execution. This is an inference from the vulnerability’s auth requirement and SharePoint’s role in enterprise environments. (helpnetsecurity.com) 4/ Microsoft and downstream coverage rate the flaw as CVSS 8.8, which puts it in high-severity territory. Help Net Security reported Microsoft assessed the attack complexity as low, meaning exploitation does not require unusual conditions once the attacker has valid access. (helpnetsecurity.com) 5/ The affected products are SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, according to Help Net Security’s summary of Microsoft’s advisory and Microsoft’s support documentation for the May 12, 2026 SharePoint 2019 security update. (helpnetsecurity.com) 6/ The patched build numbers cited by Help Net Security are: SharePoint Server Subscription Edition: 16.0.19725.20280 SharePoint Server 2019: 16.0.10417.20128 SharePoint Enterprise Server 2016: 16.0.5552.1002 (helpnetsecurity.com) 7/ Microsoft’s SharePoint 2019 support page confirms build 16.0.10417.20128 for the May 12, 2026 security update package and says the update resolves a Microsoft SharePoint Server remote code execution vulnerability. (support.microsoft.com) 8/ One practical wrinkle: Microsoft’s SharePoint 2019 update page says customers using SharePoint Workflow Manager must install KB5002799 to the farm before installing the cumulative update. It also says Classic Workflow Manager users need to enable a debug flag to continue using it. That is an implementation detail administrators should check before rollout. (support.microsoft.com) 9/ Why defenders should care: Help Net Security notes SharePoint servers often hold sensitive company data and are frequently accessible from the internet. That makes an authenticated RCE on SharePoint more than just a server bug; it can become an entry point into document repositories, workflows, and connected services. (helpnetsecurity.com) 10/ There is also a prioritization point here. Help Net Security said Microsoft viewed CVE-2026-45659 as less likely to be exploited and that there were no public details or proof-of-concept exploit at the time of publication. Even so, the same report said organizations with on-premises SharePoint should treat it as a material update. (helpnetsecurity.com) 11/ In plain terms, the risk question is not only “can this be exploited?” but “what can the SharePoint server reach if it is exploited?” On many networks, that includes file stores, internal web apps, search infrastructure, and privileged service accounts. That is an inference based on typical SharePoint deployment patterns, not a direct Microsoft quote. (helpnetsecurity.com) 12/ Immediate checks for defenders: patch supported SharePoint servers to the fixed builds, review who can authenticate to those servers, audit service-account privileges tied to SharePoint, check segmentation between SharePoint and backend systems, monitor for unusual code execution or admin activity after patching. Those steps follow from the affected products, auth requirement, and SharePoint’s role as a collaboration platform. (helpnetsecurity.com) 13/ The broader lesson is familiar: internal collaboration systems are still high-value attack surfaces. A flaw that starts with a valid login can still end with full server execution, especially when the application sits close to sensitive documents and business workflows. (helpnetsecurity.com) 14/ For teams running on-prem SharePoint, the next concrete step is to verify the installed version against Microsoft’s May 2026 security updates and confirm any workflow dependencies before deployment. Microsoft says the updates are available through Microsoft Update, the Update Catalog, and the Download Center. (support.microsoft.com)

Get your own daily briefing

Scout delivers personalized news, insights, and conversations tailored to your role and industry.

Download on the App Store

Published by The Daily Scout - Be the smartest in the room.