SharePoint RCE exploited in the wild (CVE-2026-45659) [PoC]
CVE-2026-45659
CVE-2026-45659: Microsoft Office SharePoint high-severity deserialization RCE, actively exploited (CVSS 8.8). Apply the latest Microsoft security patch immediately.
Actively exploited in the wild - CVE-2026-45659 is a high-severity deserialization vulnerability in Microsoft Office SharePoint that lets an authenticated attacker execute arbitrary code over the network. Patches are available through Microsoft’s update channels - apply them immediately.
Overview
CVE-2026-45659 is a deserialization vulnerability in Microsoft Office SharePoint that has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. The flaw allows an authenticated attacker with low privileges to send specially crafted network requests to the SharePoint server, triggering the deserialization of untrusted data. Successful exploitation results in remote code execution (RCE) on the affected SharePoint server.
The vulnerability carries a CVSS score of 8.8 (HIGH) due to its low attack complexity, low privilege requirements, and the lack of user interaction needed for exploitation. An attacker only needs network access to the SharePoint instance. No user interaction is required, making this a dangerous threat for enterprise environments where SharePoint is widely deployed.
Affected Systems
Microsoft Office SharePoint environments running vulnerable versions are at risk. Organizations should prioritize patching based on their specific deployment versions.
Remediation and Mitigation
-
Apply the vendor patch: Microsoft has released security updates for this vulnerability. Apply the latest cumulative update for your SharePoint Server version through Windows Update or Microsoft Update Catalog.
-
Review access controls: Since the attack requires low privileges, review and restrict user permissions on SharePoint to the minimum necessary.
-
Monitor for exploitation: The EPSS score indicates a 2.8% probability of exploitation in the next 30 days, meaning this vulnerability is actively being targeted. Enable logging and monitor SharePoint IIS logs for unusual deserialization-related traffic.
-
Apply workarounds if patching is delayed: Consider restricting network access to SharePoint servers from untrusted zones as a temporary mitigation.
Security Insight
This vulnerability exemplifies the ongoing risk from deserialization flaws in enterprise content management platforms. Similar to the Storm-1175 campaigns that exploited zero-days to deploy ransomware (see related coverage), adversaries are actively targeting SharePoint as a high-value entry point into corporate networks. The low privileges required for exploitation suggest that attackers are prioritizing lateral movement and persistence over initial access, aligning with patterns seen in APT28’s recent DNS hijacking operations (Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12)). SharePoint administrators should treat this as an urgent patch priority and review their overall server hardening posture.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| HORKimhab/CVE-2026-45659 CVE-2026-45659 - Draft | ★ 0 |
| mistbarbarianspot/CVE-2026-45659-SharePoint-RCE CVE-2026-45659 Microsoft SharePoint Server Deserialization RCE. | ★ 0 |
Showing 2 of 2 known references. Source: nomi-sec/PoC-in-GitHub.
Related Advisories
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network....
The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of untrusted input from the email log message field. Thi...
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from Redis in the RedisHandler object....
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from the filesystem in the FileHandler object....