Microsoft rolled out an out-of-band patch for a remote code execution vulnerability in SharePoint Server that any authenticated attacker can potentially exploit without requiring administrator or other elevated privileges.

Microsoft assigned the bug, tracked as CVE-2026-45659, a severity rating of 8.8 on the 10-point CVSS scale. The company described the vulnerability as one that attackers are less likely to exploit even though it involves low attack complexity, no user interaction, and minimal privileges.

A Potentially Significant Attack Risk

No public exploit code appears to have surfaced yet and there is no indication of any exploit activity in the wild. However, security teams might want to quickly deploy Microsoft’s patch for the vulnerability, given SharePoint’s history as a high-value target and how quickly proof-of-concept code has surfaced with previous similar disclosures. Microsoft’s own decision to make the patch available immediately instead of waiting for its regular monthly Patch Tuesday updates also suggest the company perceives the vulnerability as a significant risk.

Related:With Complex Cloud Integrations, Small Errors Lead to Major Compromises

CVE-2026-45659 involves the deserialization of untrusted data in Microsoft Office SharePoint. It essentially allows an authenticated attacker to trick Microsoft SharePoint into processing malicious data in a way that could let them remotely run code on the server and potentially take control of it. “In a network-based attack, an authenticated attacker, who has a minimum of Site Member permissions [Privileges Required: Low], could execute code remotely on the SharePoint Server,” Microsoft said. “The attack complexity is low because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.”  

A successful exploit could have a high impact on system confidentiality, integrity, and availability, Microsoft added. The company attributed bug discovery to a security researcher called MEOW.

SharePoint Remains a Major Attacker Target

The new vulnerability arrives amid ongoing concerns about SharePoint’s security posture especially in on-premises deployments. Microsoft SharePoint servers remain a highly attractive target for cybercriminals and nation-state actors because of their role as a core platform for enterprise collaboration, document management and workflows. SharePoint environments often have large amounts of sensitive internal documents, project data, employee records, intellectual property, and other data, making a successful breach immediately valuable from an IP theft standpoint and for financial extortion. Because many organizations integrate SharePoint with other Microsoft services such as Active Directory, Teams, and Outlook, a successful SharePoint breach often can serve as a launchpad for lateral movement across an enterprise environment.

Related:Microsoft Exchange Zero-Day Under Attack, No Patch Available

China-linked groups like Linen Typhoon and Violet Typhoon exploited SharePoint vulnerabilities to steal intellectual property, while ransomware operators such as Storm-2603 used the same flaws to deploy extortion campaigns. In July 2025 Microsoft disclosed a zero-day vulnerability chain dubbed ToolShell that multiple threat groups used in attacks against on-premises SharePoint deployments in government agencies, universities, corporations, and the US Nuclear Weapons Agency

Security analysts consider on-premises Microsoft SharePoint environments a particularly attractive target for attackers because of how many organizations struggle to keep these systems fully patched, properly configured, and consistently monitored. Often, Internet-facing servers have outdated software, legacy integrations, excessive privileges, and other security gaps attackers can easily exploit.





Source link

#

Comments are closed