HIGH: Microsoft Patches SharePoint Deserialization RCE That Hands Site Members Server Code Execution

Pour one out for SharePoint admins, who once again find themselves staring down another remote code execution patch with the sinking feeling that this one is going to come back to haunt them. Microsoft May 2026 Patch Tuesday quietly dropped CVE-2026-45659, a deserialization flaw that allows any authenticated user with the most pedestrian permissions imaginable to execute arbitrary code on a SharePoint server. The Redmond team tagged it "less likely to be exploited" in the official advisory, which is exactly the kind of confidence that aged poorly during last summer ToolShell campaign when attackers turned similar SharePoint flaws into the year most active mass-compromise event.

The vulnerability carries a CVSS v3.1 score of 8.8 and lives in how SharePoint deserializes untrusted data, classified under CWE-502 for those keeping score at home. The full attack vector reads AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which translates from acronym soup into something genuinely alarming. An attacker can reach the bug across the network with low attack complexity, needs only low privileges, requires zero user interaction, and on success completely compromises the confidentiality, integrity, and availability of the affected server. The deserialization category is the same one that birthed every major SharePoint catastrophe of the past decade, from the ViewState bugs of 2019 to the ToolShell chain that ate hundreds of internet-exposed servers in 2025.

What separates this CVE from a routine Patch Tuesday yawn is the privilege threshold. The required authentication level is Site Member, a permission tier so common in production deployments that it might as well be public. Any user who has been added to a SharePoint site as a contributor, which is to say nearly every employee who has ever uploaded a document, has the access needed to fire the exploit. Compromised credentials from infostealers, phishing harvests, or legacy password reuse become an instant gateway to full server takeover. In an enterprise environment where employees rotate through teams and access reviews happen quarterly at best, the attack surface is essentially everyone who has ever touched a SharePoint document library.

The affected versions cover the entirety of Microsoft currently supported on-premises SharePoint lineup. SharePoint Server Subscription Edition, the modern evergreen product, requires KB5002863. SharePoint Server 2019 needs KB5002870. SharePoint Enterprise Server 2016, which technically should have been decommissioned by anyone with a working migration plan, gets KB5002868. These updates rolled out as part of the May 12, 2026 release wave, and Microsoft officially assigned the CVE on May 22 after the embargo lifted. The researcher credited with discovery, identified only as MEOW, joins a growing list of bug hunters who have made SharePoint deserialization their personal hunting ground.

SharePoint Online is not affected by this particular issue because the cloud product runs an entirely different code path and is patched continuously by Microsoft own SRE teams. That is cold comfort for the substantial swath of enterprise environments that still run on-premises SharePoint farms for compliance, data residency, or sheer organizational inertia. Federal agencies subject to FedRAMP boundary controls, healthcare networks chained to legacy document workflows, and financial institutions with regulatory pressure to keep data inside their own datacenters all tend to fall into the on-prem camp. Those are exactly the environments where unpatched SharePoint farms become both lucrative targets and slow-moving patch projects.

The "less likely to be exploited" rating that Microsoft attached to this CVE deserves some scrutiny. The same exploitation likelihood label appeared on CVE-2025-49704 and CVE-2025-49706 a year ago, both of which became the core of the ToolShell mass-exploitation campaign within weeks of disclosure. Eye Security, watchTowr, and CISA spent the back half of 2025 cleaning up after threat actors who chained those flaws to bypass authentication entirely and drop web shells on thousands of SharePoint servers. Microsoft exploitation rating reflects predictive modeling at the time of release. It does not bind reality. Once a public proof-of-concept lands, every red team and ransomware affiliate on the planet starts cycling SharePoint targets through their pipeline within hours.

Defenders should treat the patch as time-sensitive even without confirmed in-the-wild exploitation. The cumulative update for SharePoint Server Subscription Edition installs cleanly on most farms but requires the SharePoint Products Configuration Wizard to complete the patch on every server in the farm before the fix is actually active. Administrators who have been around the block know that running the binary install without the configuration wizard leaves the servers in a half-patched state that is detected as updated by inventory tools but is still functionally vulnerable. The cumulative patch model has been a quiet source of false-positive compliance reporting for years, and this CVE is the kind of issue that exposes the gap.

Beyond the patch itself, several compensating controls reduce the blast radius. Network segmentation matters more than usual here because the attack vector is network-based and the prerequisite credential bar is low. SharePoint farms that sit behind a reverse proxy or web application firewall with deserialization payload inspection have a meaningful additional layer, particularly if rules are tuned to detect the common .NET BinaryFormatter and ObjectStateFormatter abuse patterns that show up in deserialization exploits. Disabling unused authentication providers, enforcing modern conditional access on SharePoint endpoints, and reviewing site member rosters for stale or orphaned accounts all chip away at the exploitable population.

Detection engineering for this class of vulnerability remains stubbornly hard because successful deserialization exploitation often looks identical to normal SharePoint application activity. The most reliable telemetry comes from the SharePoint ULS logs combined with process monitoring on the IIS application pool worker process, w3wp.exe. Suspicious child processes spawning from w3wp under the SharePoint application pool identity, especially cmd.exe, powershell.exe, or anything writing to inetpub directories, deserve immediate investigation. Sysmon configurations tuned for the SharePoint scenario, particularly those derived from the SwiftOnSecurity baseline with SharePoint-specific tweaks, catch the post-exploitation behaviors even when the deserialization itself slips past.

CISA has not yet added CVE-2026-45659 to the Known Exploited Vulnerabilities catalog, which means federal civilian agencies do not face a mandatory patching deadline under BOD 22-01 just yet. That status can change without warning. The KEV catalog updates typically arrive within days of confirmed exploitation, and the SharePoint pattern over the past three years suggests this one has a non-trivial chance of landing on the list before the end of summer. Agencies and contractors operating under FedRAMP, CMMC, or similar frameworks should treat the patch as KEV-equivalent regardless of the catalog status.

For managed service providers running multi-tenant operations, the SharePoint patch cycle is a recurring conversation that practically writes itself. Clients running on-premises SharePoint should already be on a regular Patch Tuesday cadence, but the practical reality is that SharePoint patching is one of the most-deferred maintenance windows in the typical enterprise calendar because of the configuration wizard requirement and the perceived risk of farm downtime. That deferral pattern is exactly the kind of operational gap that justifies a managed SharePoint service offering, with predictable patching windows, configuration wizard validation, and post-patch health verification baked into the contract. The current CVE is also a natural prompt for credential hygiene conversations with clients, because every Site Member account is now effectively a potential RCE vector and that reframes a lot of stale password policies in a hurry.

The deeper play for security-focused MSPs is using this CVE to revisit the broader question of why clients are still running SharePoint on-premises in the first place. Migration assessments, hybrid SharePoint reviews, and full cutover projects to SharePoint Online or alternative collaboration platforms become significantly easier conversations when the client has just lived through an emergency patch cycle. Pair that with darkweb credential monitoring services to catch the infostealer harvests that would feed any future exploitation, and there is a clean three-part offering ready to position to clients before the next ToolShell-equivalent campaign makes the choice for them.