External risk intelligence

Microsoft SharePoint Server Code Execution via Deserialization

CVE advisoryKnown Exploit

CVE-2026-45659

Microsoft SharePoint Server is commonly deployed as an internet-facing or externally accessible web application and collaboration portal, making its web services and API endpoints frequently reachable from the public internet in standard enterprise deployments.

Deserialization

Microsoft Sharepoint Server

before 16.0.19725.2028020162019

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in Microsoft SharePoint Server that could allow an authorized attacker to execute code over a network. This issue arises from the deserialization of untrusted data, a common type of software flaw that can have significant security implications. Given the nature of SharePoint as a collaboration platform, understanding its potential exposure to this vulnerability is important for maintaining system integrity and data security.

  • Allows attackers to run code remotely.
  • Critical flaw in collaboration and data systems.
  • Confirm exposure and impact to collaboration tools.

Attack Path

How an attacker could exploit the issue

An attacker with network access and some level of user privileges on Microsoft SharePoint Server could potentially exploit a deserialization vulnerability. By providing specially crafted data, the attacker might trigger the vulnerable component, leading to the execution of arbitrary code on the server over the network.

  • Requires network access and user privileges.
  • Exploits deserialization of untrusted data.
  • Allows code execution on the server.

Live Threat

Current exploitation, exposure, and threat context

An authorized attacker could execute code over a network when interacting with Microsoft Office SharePoint, potentially affecting system integrity and availability. This vulnerability may impact the confidentiality of data processed by the affected SharePoint instances.

  • System integrity and availability.
  • Code execution over a network.
  • Unauthorized system control.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world remediation for this deserialization vulnerability in Microsoft SharePoint Server likely involves a coordinated effort between application owners, infrastructure teams, and potentially vendor-management teams. The first practical step is to conduct a comprehensive inventory of all SharePoint Server instances, identify their network exposure, and determine their business criticality. Once these factors are understood, the accountable owner should be identified to plan and execute remediation activities, prioritizing systems based on risk.

  • Application and infrastructure teams own remediation.
  • Verify SharePoint asset inventory and exposure.
  • Plan and coordinate risk-based maintenance.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Microsoft SharePoint Server used for?

Microsoft SharePoint Server is a widely deployed collaboration and document management platform. Organizations use it to host internal intranets, manage content, and provide web-based portals that facilitate teamwork, file sharing, and data organization across corporate environments.

What does CWE-502 mean for CVE-2026-45659?

CWE-502, or Deserialization of Untrusted Data, refers to a weakness where an application takes complex data received from a user and reconstructs it into an object without proper validation. In the context of CVE-2026-45659, this allows the software to be tricked into performing unintended actions, potentially leading to unauthorized code execution when the system processes malicious input.

Do I need to be an administrator to trigger this flaw?

Yes, exploitation requires the attacker to be an authorized user. This means the vulnerability cannot be triggered by an unauthenticated entity over the network. It requires existing access privileges within the environment to interact with the specific SharePoint components affected by this deserialization issue.

How does Halo Surface Signal view this risk?

Halo Surface Signal flags this as a significant concern because Microsoft SharePoint Server is frequently configured as an internet-facing portal. Because these web services and API endpoints are often reachable from the public internet, they become accessible to external actors who may attempt to leverage their authorized access to reach this flaw.

What are the first steps to address this CVE?

Your initial priority is to identify all instances of SharePoint Server within your environment and consult the official Microsoft Security Update Guide. Review the vendor's documentation to understand the required updates or configuration changes for your specific version. Ensuring your installations are patched according to the vendor's instructions is the standard method for resolving this type of software vulnerability.

References