Cybersecurity Blog | RedLegg

Security Bulletin: Microsoft Office SharePoint Remote Code Execution Vulnerability

Written by RedLegg's Cyber Threat Intelligence Team | 7/2/26 3:52 PM

About:

CVE-2026-45659 is a remote code execution vulnerability affecting Microsoft Office SharePoint Server.

Successful exploitation could allow an attacker to execute malicious code in the context of the SharePoint server, potentially leading to unauthorized access to sensitive information, modification of SharePoint content, deployment of malicious components, disruption of collaboration services, and further compromise of the underlying server.

Microsoft addressed the vulnerability in the May 2026 SharePoint security updates. On July 1, 2026, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) Catalog, indicating observed exploitation risk and the need for immediate verification of patch status across exposed SharePoint environments.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Microsoft Office SharePoint Remote Code Execution Vulnerability

 

Identifier: CVE-2026-45659

PoC or Exploitation:

CISA added CVE-2026-45659 to the Known Exploited Vulnerabilities (KEV) Catalog on July 1, 2026.

 
CVSS Score: 8.8 (High, CVSS v3.1)

Update / Patch:

Microsoft addressed CVE-2026-45659 through the May 2026 SharePoint security updates.
 
Affected Products
 
  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016
 
Fixed Versions
 
  • Microsoft SharePoint Server Subscription Edition
  • Build 16.0.19725.20280

  • Microsoft SharePoint Server 2019
  • Build 16.0.10417.20128

  • Microsoft SharePoint Enterprise Server 2016 (x64)
  • Build 16.0.5552.1002

 
Microsoft advisory and patch guidance:
 

 

 

Description:

CVE-2026-45659 is a remote code execution vulnerability affecting Microsoft Office SharePoint Server.
 
Successful exploitation could enable an attacker to execute malicious code within the context of the SharePoint server, potentially resulting in unauthorized access to sensitive information, modification of SharePoint content, installation of malicious components, disruption of collaboration services, or further compromise of the underlying server.

 

Mitigation Recommendation:

Immediately verify that the May 2026 Microsoft SharePoint security updates have been successfully installed.
 
Review SharePoint administrative and Unified Logging Service (ULS) logs for suspicious authenticated activity, unexpected code execution, or anomalous administrative operations.
 
Monitor for unusual PowerShell activity, IIS worker process behavior, scheduled task creation, or other indicators of post-exploitation activity.
 
Restrict SharePoint administrative access to trusted administrators and implement the principle of least privilege.
 
Implement multi-factor authentication for privileged accounts where supported.
 
Conduct compromise assessments on internet-facing or externally accessible SharePoint deployments.