CVE-2026-45659: Microsoft SharePoint Server Deserialization RCE — How to Find Vulnerable Instances on Your Network
Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability that lets authenticated attackers execute arbitrary code remotely. CVSS 8.8, actively exploited in the wild, CISA KEV listed July 1 with an aggressive 3-day remediation deadline. Patches are available for SharePoint 2016, 2019, and Subscription Edition. Here's how to find SharePoint Server instances on your network.
The Vulnerability
CVE-2026-45659 (CWE-502: Deserialization of Untrusted Data) is a remote code execution vulnerability in Microsoft SharePoint Server. An authenticated attacker with as little as Site Member permissions can send a crafted request that triggers unsafe deserialization, executing arbitrary code on the server with the privileges of the SharePoint service account. Attack complexity is low and no user interaction is required.
- CVSS: 8.8 High (v3.1) — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H — MSRC Advisory
- CWE: CWE-502 (Deserialization of Untrusted Data)
- AFFECTED: SharePoint Server Subscription Edition (below 16.0.19725.20280), SharePoint Server 2019 (below 16.0.10417.20128), SharePoint Enterprise Server 2016 (below 16.0.5552.1002)
- FIXED: KB5002863 (Subscription Edition), KB5002870 (2019), KB5002868 (2016) — released May 21, 2026
- EXPLOITED: Active exploitation confirmed — CISA KEV listed July 1, 2026 · deadline July 4, 2026
- RELATED: CVE-2026-40365 (RCE, CVSS 8.8), CVE-2026-47294 (OS command injection, CVSS 8.0) — same patch batch
The 3-day CISA KEV deadline (July 4, 2026) is unusually aggressive and signals high confidence in active exploitation. The low barrier — any authenticated user with Site Member permissions — makes this especially dangerous in organizations with broad SharePoint access. Combined with two related RCE vulnerabilities patched in the same update, unpatched SharePoint servers face multiple attack vectors simultaneously.
What Is Microsoft SharePoint Server?
Microsoft SharePoint Server is the on-premises edition of Microsoft's collaboration and document management platform. It powers intranets, document libraries, team sites, and business workflows for enterprises worldwide. SharePoint Server runs on Windows Server with IIS and SQL Server, typically deployed in enterprise data centers or hybrid configurations alongside Microsoft 365. Compromising a SharePoint server can expose sensitive documents, credentials stored in connected databases, and provide lateral movement opportunities across the domain.
Only On-Premises Deployments Affected
This vulnerability affects only on-premises SharePoint Server deployments — SharePoint 2016, SharePoint 2019, and SharePoint Subscription Edition. SharePoint Online (part of Microsoft 365) is not affected. Organizations that have fully migrated to SharePoint Online are not at risk, but hybrid deployments that still maintain on-prem SharePoint servers need to patch.
Investigation Workflow
SharePoint servers are typically internal-facing but often accessible from broad segments of the corporate network. Any authenticated user with Site Member permissions can exploit this vulnerability. Here's how to locate every SharePoint Server instance on your network.
1. Port Scan: Find SharePoint Instances
SharePoint Server runs on IIS and exposes web services on standard HTTP/HTTPS ports. Scan your network for:
- • 443 — HTTPS (primary web application port — where the vulnerability is exploitable)
- • 80 — HTTP (some deployments, often redirects to 443)
- • 2013 — SharePoint Central Administration (alternate port in some deployments)
- • 32843/32844 — SharePoint service applications (default ports for service app endpoints)
Port 443 is the primary target — it hosts the web application with the vulnerable deserialization endpoint. Central Administration on non-standard ports is also worth checking.
2. TLS Inspect: Identify SharePoint Certificates
Pull the TLS certificate on port 443. SharePoint Server instances typically present certificates with identifying characteristics:
- • Subject CN or SAN containing sharepoint, sp, or the organization's intranet domain
- • Issuer from an internal Active Directory Certificate Services CA
- • Wildcard certificates covering *.corp.example.com or similar internal domains
3. HTTP Headers: Fingerprint SharePoint
SharePoint Server has highly distinctive HTTP response headers. Probe port 443 and look for:
- • MicrosoftSharePointTeamServices header — contains the exact SharePoint build number (e.g., 16.0.10417.20128). This header alone confirms SharePoint and reveals the installed version
- • X-SharePointHealthScore header — a numeric value (0–10) unique to SharePoint Server
- • SPRequestGuid header — a GUID present in SharePoint responses
- • Server: Microsoft-IIS/10.0 combined with the headers above confirms a SharePoint deployment
- • Response body containing SharePoint, _layouts/15/, or _api/web
The MicrosoftSharePointTeamServices header is the most valuable signal — compare the build number against the patched versions (16.0.19725.20280 for Subscription Edition, 16.0.10417.20128 for 2019, 16.0.5552.1002 for 2016) to determine whether the instance is vulnerable.
4. DNS: Discover SharePoint Infrastructure
Query internal DNS for common SharePoint naming patterns: sharepoint.*, sp.*, intranet.*, portal.*, teams.*, collab.*. SharePoint farms often have multiple web applications — check for separate DNS entries for My Sites (mysites.*), search (search.*), and individual site collections that may be hosted on different IIS websites or servers.
5. CVE Lookup: Confirm the Advisory
Pull the full NVD entry for CVE-2026-45659 to track scoring updates. Note two related SharePoint RCE vulnerabilities in the same patch batch: CVE-2026-40365 (insufficient access control, CVSS 8.8) and CVE-2026-47294 (OS command injection, CVSS 8.0). All three are fixed by the same KB updates — a single patch pass covers all three vulnerabilities.
Cross-Reference with External Data
- SHODAN: Search http.headers:"MicrosoftSharePointTeamServices" to find internet-exposed SharePoint instances
- CVE LOOKUP: Check CVE-2026-45659, CVE-2026-40365, CVE-2026-47294 in NVD for updated scoring
- CISA KEV: Listed July 1, 2026 — remediation deadline July 4, 2026
- MSRC: Microsoft Security Update Guide
Remediation
- Patch immediately. Install the May 21 security updates: KB5002863 (Subscription Edition), KB5002870 (SharePoint 2019), KB5002868 (SharePoint 2016). These KBs also fix CVE-2026-40365 and CVE-2026-47294. The CISA KEV deadline is July 4 — three days from listing.
- Verify the installed build number. Check the MicrosoftSharePointTeamServices HTTP header or run (Get-SPFarm).BuildVersion in SharePoint Management Shell. Confirm the build meets or exceeds the patched versions: 16.0.19725.20280 (SE), 16.0.10417.20128 (2019), 16.0.5552.1002 (2016).
- Audit site membership. The vulnerability requires only Site Member permissions. Review SharePoint site collections for overly broad membership — users who shouldn't have access to specific sites represent unnecessary attack surface.
- Monitor ULS and Windows Event logs. Review SharePoint Unified Logging Service (ULS) logs for unusual deserialization errors, unexpected .NET exceptions, or anomalous API calls. Check Windows Security event logs for process creation events originating from the IIS worker process (w3wp.exe).
- Check for lateral movement. If a SharePoint server was compromised, the attacker had access to the SharePoint service account — typically a domain account with broad database access. Review Active Directory logs for suspicious authentication events from the SharePoint servers.
- Assess hybrid exposure. If your SharePoint farm is in a hybrid configuration with Microsoft 365, verify that the on-premises servers are patched even if most users access SharePoint Online. Hybrid connectors and search federation can expose on-prem servers to broader access paths.
Every tool used in this investigation — port scan, TLS inspect, HTTP headers, DNS, CVE lookup — runs from your phone in RECON. Get it on the App Store.
Follow @hellorecon for new CVE investigations.
Sources
- → Microsoft Security Update Guide: CVE-2026-45659
- → NVD: CVE-2026-45659
- → CISA Known Exploited Vulnerabilities Catalog
- → KB5002863 — SharePoint Server Subscription Edition
- → KB5002870 — SharePoint Server 2019
- → KB5002868 — SharePoint Enterprise Server 2016