CVE-2026-45659: Microsoft SharePoint Unauthenticated RCE — Detection and Remediation

Microsoft has released security updates addressing a critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-45659, impacting multiple versions of Microsoft SharePoint Server. With a CVSS score of 8.8, this flaw represents a significant risk to enterprises relying on SharePoint for collaboration and document management.

Introduction

The vulnerability stems from the deserialization of untrusted data within Microsoft Office SharePoint. Successful exploitation allows an unauthenticated attacker to execute arbitrary code on the underlying SharePoint server with the privileges of the SharePoint application pool service account—often a highly privileged account. Given that the attack chain requires no user interaction or specialized conditions, this vulnerability is a prime candidate for widespread automated scanning and exploitation by ransomware operators and initial access brokers. Immediate defensive action is required to secure the perimeter.

Technical Analysis

• CVE Identifier: CVE-2026-45659
• CVSS Score: 8.8 (High)
• Affected Products: Microsoft SharePoint Server (Multiple versions, including 2019, Subscription Edition, and likely 2016 depending on extended support lifecycle).
• Vulnerability Class: Insecure Deserialization

Mechanism of Exploitation: The flaw exists in how SharePoint handles serialized data objects. An attacker can send a specially crafted serialized object (e.g., via a malicious HTTP request to a vulnerable endpoint) to the target server. When SharePoint attempts to deserialize this data, the application fails to properly validate the input, leading to code injection. The code executes within the context of the IIS worker process (w3wp.exe), effectively giving the attacker control over the web server.

Exploitation Status: As of the advisory release, exploitation is theoretically possible but straightforward given the nature of deserialization flaws. Historically, SharePoint deserialization vulnerabilities (e.g., CVE-2019-0604) are rapidly weaponized. While active exploitation in the wild has not been explicitly confirmed in the initial reporting, the low complexity suggests that functional Proof-of-Concept (PoC) exploits will emerge quickly.

Detection & Response

Detecting deserialization attacks at the network perimeter is challenging because the payload may be obfuscated or encoded within standard web traffic. The most reliable detection method is identifying the post-exploitation behavior: the web server process spawning unusual child processes or establishing unauthorized network connections.

Sigma Rules

---
title: SharePoint RCE - w3wp.exe Spawning Shell
id: 89b4c3a1-2d4e-4f9a-8b1a-3c5d6e7f8a9b
status: experimental
description: Detects potential exploitation of CVE-2026-45659 by identifying the IIS worker process (w3wp.exe) spawning a command shell or PowerShell. SharePoint servers should not typically spawn these processes.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-45659
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.initial_access
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\w3wp.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate administrative scripts running on the server (rare)
level: critical
---
title: SharePoint RCE - Outbound Network Connection from w3wp.exe
id: 2e1f4a5b-6c7d-8e9f-0a1b-2c3d4e5f6a7b
status: experimental
description: Detects unusual outbound network connections initiated by the SharePoint IIS worker process, often indicative of C2 beaconing or data exfiltration post-exploitation.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-45659
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith: '\w3wp.exe'
    Initiated: 'true'
  filter:
    DestinationIpInRanges:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
      - '127.0.0.0/8'
  condition: selection and not filter
falsepositives:
  - SharePoint add-ins connecting to external SaaS services (Verify)
level: high

KQL (Microsoft Sentinel / Defender)

// Hunt for suspicious process spawning by SharePoint IIS worker process
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| extend DeviceCustomEntity = DeviceName, AccountCustomEntity = AccountName

Velociraptor VQL

-- Hunt for established network connections from w3wp.exe to non-local IPs
SELECT Pid, Name, RemoteAddr, RemotePort, State, Family
FROM netstat()
WHERE Name =~ 'w3wp.exe'
  AND State = 'ESTABLISHED'
  AND NOT (RemoteAddr =~ '127.0.0.1' OR RemoteAddr =~ '::1' OR RemoteAddr =~ '192.168.%' OR RemoteAddr =~ '10.%' OR RemoteAddr =~ '172.1[6-9].%' OR RemoteAddr =~ '172.2[0-9].%' OR RemoteAddr =~ '172.3[0-1].%')

Remediation Script (PowerShell)

This script assists in verifying if the patch for CVE-2026-45659 is installed by checking for the presence of the specific security update ID (HotfixID). Note: Replace the $TargetKB variable with the actual KB number released by Microsoft in the security advisory.

<#
.SYNOPSIS
    Verification script for CVE-2026-45659 (SharePoint RCE).
.DESCRIPTION
    Checks if the security update (KB) is installed on the local server.
#>

# IMPORTANT: Update this variable with the KB ID from the official Microsoft Advisory
$TargetKB = "KB5000000" 

Write-Host "[INFO] Checking for patch: $TargetKB" -ForegroundColor Cyan

$Patch = Get-HotFix -Id $TargetKB -ErrorAction SilentlyContinue

if ($Patch) {
    Write-Host "[SUCCESS] Patch $TargetKB is installed." -ForegroundColor Green
    Write-Host "Installed On: $($Patch.InstalledOn)"
} else {
    Write-Host "[ALERT] Patch $TargetKB NOT found. System is vulnerable to CVE-2026-45659." -ForegroundColor Red
    Write-Host "Action Required: Apply the latest SharePoint cumulative update immediately."
}

# Check SharePoint Service Status
Write-Host "[INFO] Verifying SharePoint Health..."
$SpService = Get-Service -Name "W3SVC" -ErrorAction SilentlyContinue
if ($SpService.Status -eq "Running") {
    Write-Host "[INFO] IIS Service is Running. Reboot may be required after patching."
}

Remediation

1. Patch Immediately: Apply the latest cumulative updates for Microsoft SharePoint Server released in the May 2026 Patch Tuesday cycle. Ensure the update covers CVE-2026-45659.
2. Verify Installation: Use the PowerShell script provided above or Windows Update logs to confirm the patch is successfully applied across all SharePoint Front-end and Application servers in the farm.
3. Restrict Network Access: As a temporary mitigation if patching is delayed, restrict access to SharePoint servers from the internet using a firewall or VPN. Ensure only trusted internal IP ranges can communicate with the SharePoint application.
4. Audit Logs: Review IIS logs and Windows Security event logs for signs of exploitation (failed deserialization attempts or unexpected process execution) dating back to the publication of the vulnerability.

Official Vendor Advisory:

• Microsoft Security Update Guide

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub