Skip to main content
CybersecurityVulnerability Management

Microsoft Fixes SharePoint Flaw That Exposes Servers to Remote Code Execution

Server room with rows of computer servers and a single laptop in the foreground.

"Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network," Microsoft said in an advisory released last week.

Microsoft released patches for a high‑severity SharePoint flaw

Microsoft has rolled out updates to address a remote code execution vulnerability in SharePoint tracked as CVE‑2026‑45659. The flaw carries a CVSS score of 8.8 and has been assigned an important severity rating. According to the advisory, updates have been released across SharePoint Server versions to remediate the issue.

Microsoft credited a researcher identified as MEOW for discovering and reporting the vulnerability.

How the vulnerability works and who can exploit it

The vendor describes CVE‑2026‑45659 as a deserialization vulnerability: "Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network." Critically, Microsoft says the flaw can be triggered by any authenticated attacker and does not require administrator or other elevated privileges.

In practical terms, Microsoft explains that "an authenticated attacker, who has a minimum of Site Member permissions (PR:L), could execute code remotely on the SharePoint Server" in a network‑based attack. That delineation narrows the set of users who could mount an exploit — authenticated Site Members rather than only privileged or administrative accounts — but does not eliminate the risk for organizations that allow broad write or membership privileges.

Patch context: recent and repeated SharePoint targeting

The release comes after Microsoft issued fixes last month for a separate SharePoint spoofing vulnerability, CVE‑2026‑32201, which Microsoft said had been exploited in the wild and carried a CVSS score of 6.5. The company also noted that while CVE‑2026‑45659 is judged less likely to be exploited, "it's essential that users apply the necessary fixes for optimal protection," particularly given that "several flaws in the collaborative platform have been repeatedly weaponized by attackers over the years."

What this means for technologists, affected enterprises, and adversaries

  • Technologists and security teams: The advisory points to a need for immediate patching on SharePoint Server installations. Because the flaw can be exercised by authenticated Site Members, teams should prioritize patch rollout and review membership and permission models that grant Site Member rights.
  • Affected enterprises and procurement leaders: Organizations that depend on on‑premises or hosted SharePoint Server should confirm that updates have been applied across their server estate. The advisory’s emphasis on the exploitability by non‑administrative accounts implies that risk assessments and patch schedules may need to account for an expanded attack surface.
  • Adversaries and threat actors: Microsoft’s notice that the vulnerability is less likely to be exploited does not preclude attempted abuse; the company’s earlier statement that a related flaw had been exploited in the wild is a reminder that pathologies of collaborative platforms have been repeatedly targeted.

Actionable next steps and closing observation

Microsoft’s advisory and the CVSS 8.8 rating make clear that operators should treat CVE‑2026‑45659 as a high‑impact remediation priority. The company’s explicit language — that an authenticated attacker with Site Member permissions could execute remote code and that no elevated privileges are required — compresses the window between discovery and potential exploitation for organizations that have not yet applied updates.

Microsoft’s attribution to a named researcher, MEOW, closes this chapter of discovery; the more consequential question for administrators and security teams is operational: have you verified updates across your SharePoint servers, and have you reviewed who holds Site Member permissions? Microsoft’s guidance and last month’s exploited spoofing fix together underscore that SharePoint remains a frequent target where timely patching and permission hygiene matter.

Original story