Microsoft SharePoint Server Vulnerability Enables Remote Code Execution Attacks

HomeCyber Security Microsoft SharePoint Server Vulnerability Enables Remote Code Execution Attacks By Guru Baran May 26, 2026 Microsoft has disclosed a critical security vulnerability in SharePoint Server that could allow authenticated attackers to execute arbitrary code remotely across multiple versions of the platform. Tracked as CVE-2026-45659 and released on May 21, 2026, the flaw poses a significant risk to organizations running on-premises SharePoint deployments. The vulnerability stems from the deserialization of untrusted data within Microsoft Office SharePoint. When exploited, it enables a network-based attacker to remotely execute code on the affected server. Microsoft rated the flaw as Important severity, with exploitation currently assessed as “Exploitation Less Likely” — though the low complexity of the attack makes it a notable threat worth immediate attention. What makes this flaw particularly concerning is its low barrier to exploitation. Any authenticated user with a minimum of Site Member-level permissions can trigger the vulnerability; no administrative or elevated privileges are required. The attack vector is network-based (AV:N) with low attack complexity (AC:L), meaning an attacker needs no specialized prior knowledge of the target system and can achieve repeatable, reliable exploitation from the internet. Affected Versions and Patches Microsoft has released security updates for all affected SharePoint Server versions. Organizations should prioritize patching immediately. Product KB Article Build Number SharePoint Server Subscription Edition KB 5002863 16.0.19725.20280 SharePoint Server 2019 KB 5002870 16.0.10417.20128 SharePoint Enterprise Server 2016 KB 5002868 16.0.5552.1002 Mitigations Security teams should take the following steps immediately: Apply the May 21, 2026, security updates for all affected SharePoint versions via the Microsoft Update Catalog or direct download Audit site membership permissions and restrict Site Member access to trusted users only Monitor SharePoint Server logs for unusual deserialization activity or unexpected code execution attempts Isolate internet-facing SharePoint instances until patches are confirmed as applied Consider enabling Web Application Firewall (WAF) rules to detect and block malicious deserialization payloads Although Microsoft currently confirms the vulnerability has not been publicly disclosed or actively exploited, the low complexity and network-accessible attack surface make it a prime candidate for future exploitation once proof-of-concept code circulates. Organizations relying on SharePoint for internal collaboration, document management, or external portals face elevated exposure if patches are delayed. Security teams are strongly encouraged to treat this as a priority patching event within their next maintenance window. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News GitHub Internal Repositories Breached Via Weaponized VS Code Extension DevilNFC Android Malware Uses Kiosk Mode to Trap Victims During NFC Relay Attacks Hackers Use SEO Poisoning to Impersonate Gemini CLI and Claude Code Installers Microsoft Edge Stops Loading Saved Passwords Into Memory at Startup Anthropic’s Claude Mythos Preview Uncovers 10,000+ 0-Days in Project Glasswing Latest News Cyber Security News GitHub Down – Authentication Issues Denying Access to Actions  Cyber Security News Hackers Exploit Ghost CMS CVE-2026-26980 to Poison 700 Websites With ClickFix Malware Cyber Security News Windows Server 2016 Domain Controller May Fail with 15-Character Hostname Cyber Security News Hackers Use SEO Poisoning to Impersonate Gemini CLI and Claude Code Installers Cyber Security News Critical Memcached SASL Vulnerability Let Attackers Infer Valid Usernames