
MICROSOFT has released a patch for a deserialization vulnerability in SharePoint Server tracked as CVE-2026-45659. The flaw permits an authenticated attacker to execute arbitrary code remotely by sending specially crafted data to the server. Administrators using affected versions should treat this as a priority.
The vulnerability carries a CVSS v3.1 score of 8.8, rating it HIGH. It stems from improper handling of untrusted data during the deserialization process, which can lead to remote code execution when malicious payloads are processed. Successful exploitation does not require elevated privileges beyond a legitimate SharePoint account.
CISA has added CVE-2026-45659 to its Known Exploited Vulnerabilities catalogue, confirming that the flaw is being exploited in the wild. No public ransomware campaigns have been linked to the issue at this time. The catalogue entry can be reviewed here.
Although no exploit code has been publicly disclosed, historical trends show SharePoint servers are frequent targets for attackers seeking footholds inside enterprise networks. Microsoft has issued an out-of-band update addressing the flaw, details of which are available in the vendor’s update guide here.
Defenders should immediately apply the latest security update for their SharePoint farm via Windows Server Update Services or the Microsoft Update Catalog. After patching, verify the version number matches the patched release and review SharePoint IIS logs for unexpected deserialization requests or failed authentication attempts.
Additionally, consider restricting SharePoint exposure to trusted network segments, enforcing multi-factor authentication for all privileged accounts, and monitoring for anomalous object serialization activity using endpoint detection tools. Regularly reviewing Microsoft’s security advisories will help ensure future deserialization issues are caught early.