Microsoft pushed an emergency security update for SharePoint after researchers demonstrated that an attacker holding nothing more than basic site member permissions could execute code on the underlying server and take full control of it. The vulnerability, tracked as CVE-2026-45659, requires no user interaction and no privilege escalation. If you have a SharePoint account that lets you edit a page or upload a document, you already have enough access to launch the attack.
That is a problem at enormous scale. Site member permissions are handed out routinely to project collaborators, department staff, contractors, and external partners. In most deployments, they are the default access tier.
What the vulnerability actually does
CVE-2026-45659 is a deserialization flaw. SharePoint accepts structured data objects from authenticated users, and in this case, the server processes certain objects without properly validating their contents. An attacker can craft a malicious serialized object, submit it through a legitimate SharePoint interaction, and force the server to execute arbitrary code.
The National Vulnerability Database entry assigns the flaw a CVSS 3.1 vector that specifies PR:L (low privileges required) and no user interaction needed. In plain terms: no phishing email, no tricked click, no stolen admin credentials. A single compromised or rogue site member account is the entire attack chain.
“Server takeover” in this context means the attacker can run commands with the privileges of the SharePoint application process, which on most on-premises deployments is sufficient to read and exfiltrate data, install backdoors, pivot to other systems on the network, or deploy ransomware. For organizations storing sensitive documents, internal communications, or regulated data in SharePoint, the exposure is severe.
What Microsoft and CISA have said
Microsoft’s advisory, linked as the canonical source in the NIST National Vulnerability Database, confirms the patch and the vulnerability class but does not name the researchers who reported the flaw or describe the specific deserialization endpoint involved. The company has not published a timeline showing when it first learned of the issue versus when the fix shipped. Microsoft did not respond to a request for comment on the discovery timeline or the identity of the reporting researchers.
Separately, CISA added a related SharePoint vulnerability, CVE-2026-32201, to its Known Exploited Vulnerabilities Catalog. That catalog has a strict inclusion standard: a flaw appears only after the agency confirms active exploitation with reliable evidence. CISA has not published details on the volume of attacks, the threat actors involved, or whether CVE-2026-32201 and CVE-2026-45659 share a common code path. CISA did not respond to a request for additional details on the scope of observed exploitation. Until Microsoft clarifies the relationship between the two CVEs, security teams should treat them as separate risks that both demand immediate patching.
The headline for this article states that “researchers confirmed” the attack path. That language reflects the NVD record and Microsoft’s own advisory, both of which document the vulnerability class, severity vector, and patch. However, neither Microsoft nor the NVD has publicly named the individual researchers or firm responsible for the discovery. No independent researcher has publicly claimed credit for the finding as of June 2026. Readers should weigh the institutional authority of the NVD and CISA records against the absence of a named source.
Neither source has released proof-of-concept code, which limits independent analysis but also means a public exploit is not yet circulating in the usual repositories. That window will not stay open long. High-value SharePoint flaws with low exploitation barriers tend to attract rapid weaponization.
Cloud vs. on-premises: who is most exposed
Organizations running SharePoint Online through Microsoft 365 are likely in better shape. Microsoft manages patching for its cloud infrastructure directly, and tenants typically receive fixes without administrator action. However, Microsoft has not explicitly confirmed that SharePoint Online was vulnerable or that it has been patched, so cloud customers should verify through their Microsoft 365 admin center or contact Microsoft support.
On-premises SharePoint Server deployments face the steepest risk. These environments depend on manual update cycles that can lag by days or weeks, and many organizations run older SharePoint versions with extended or custom support arrangements. If your SharePoint Server has not been updated since Microsoft released this fix in June 2026, it should be treated as compromised-until-proven-otherwise.
Why this class of bug keeps appearing in SharePoint
Deserialization vulnerabilities are not new to SharePoint. CVE-2019-0604, a similar flaw, was exploited in the wild and used in targeted attacks against government and private-sector organizations. CVE-2023-29357, a privilege escalation bug, was chained with a deserialization issue (CVE-2023-24955) to achieve remote code execution and was demonstrated at the Pwn2Own contest in Vancouver.
The pattern persists because SharePoint is a massive, decades-old codebase that processes complex data from authenticated users across dozens of internal services. Some serialization mechanisms are well-audited. Others sit in older corners of the product where they receive less scrutiny. Each time Microsoft hardens one path, researchers find another. For defenders, the takeaway is that SharePoint’s attack surface is structurally broad, and patching alone is not a complete strategy.
What to do right now
Patch immediately. Apply the update referenced in Microsoft’s advisory to every on-premises SharePoint Server instance. Do not wait for a regular maintenance window. The combination of low privilege requirement and zero user interaction makes this flaw trivially scalable for any attacker who can obtain or compromise a single site member account.
Audit site member permissions. Most organizations grant SharePoint site membership far more broadly than necessary. Remove stale accounts, revoke access for users who no longer need it, and review whether external partners still require the permissions they were given. Shrinking the pool of site members directly reduces the number of accounts an attacker could use.
Hunt for signs of exploitation. If your SharePoint servers were unpatched for any period after the fix became available, review logs for anomalous behavior from site member accounts. Look for unexpected access patterns, unusual file operations, attempts to reach administrative endpoints, or new processes spawned by the SharePoint application pool. Because the attack requires no user interaction, phishing-focused detection will not catch it. Server-side endpoint detection and detailed IIS and ULS logging are the relevant controls.
Pressure your managed service providers. If a third party manages your SharePoint environment, confirm in writing that the patch has been applied. Contract language should explicitly require timely remediation of vulnerabilities that need only low privileges and no user interaction, since those conditions make exploitation highly scalable.
How to track this threat through authoritative sources
The NVD entry and CISA’s catalog are the most reliable public records for following CVE-2026-45659 and CVE-2026-32201. When proof-of-concept details or researcher disclosures surface, they will likely appear through those channels or through the Microsoft Security Response Center. Acting on those primary sources, rather than waiting for secondhand summaries, is the fastest way to stay ahead of active exploitation.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
