A critical security vulnerability has emerged in Microsoft SharePoint, identified as CVE-2026-45659. This flaw permits unauthenticated remote code execution (RCE) with minimal complexity, presenting a severe risk to organizations utilizing SharePoint for collaboration and document management.
Given that SharePoint deployments are frequently exposed to the internet to support remote work and external partnerships, this vulnerability effectively opens a door to your internal network for attackers. No valid credentials are required to trigger the exploit. Defenders must treat this with the highest urgency—prioritizing patching over standard change management windows is strongly advised.
Technical Analysis
- CVE Identifier: CVE-2026-45659
- CVSS Score: 8.8 (High)
- Affected Products: Microsoft SharePoint Server (Subscription Edition, 2019, 2016).
- Attack Vector: Network (Adjacent or Internet-facing).
- Privileges Required: None.
- User Interaction: None.
The Vulnerability
The vulnerability exists within how Microsoft SharePoint handles specific crafted web requests. Due to a failure in properly validating serialized data or inputs within a core service component, an attacker can send a malicious packet to a target SharePoint server. Successful exploitation results in the IIS worker process (w3wp.exe) executing arbitrary code with the privileges of the SharePoint Application Pool account.
Because the vulnerability is unauthenticated and requires no user interaction, it is highly likely to be integrated into automated exploitation frameworks and botnets imminently. While there is no confirmed evidence of active exploitation in the wild at the time of this writing, the low barrier to entry suggests it is only a matter of time.
Detection & Response
Detecting the exploitation of CVE-2026-45659 relies on identifying anomalous behavior stemming from the SharePoint web worker process. Since this is an RCE, the most reliable signal is the web server process (w3wp.exe) spawning unexpected child processes, such as shells or network utilities.
Sigma Rules
The following Sigma rules target the immediate post-exploitation behavior. Note that SharePoint App Pools typically run under service accounts (e.g., SP_Farm or Domain\SharePoint), not SYSTEM, though SYSTEM is possible in misconfigurations.
---
title: Potential SharePoint RCE - w3wp.exe Spawning Shell
id: 8a4b3c9d-1e2f-4a5b-8c6d-7e8f9a0b1c2d
status: experimental
description: Detects potential exploitation of SharePoint RCE via w3wp.exe spawning command shells or PowerShell.
references:
- CVE-2026-45659
author: Security Arsenal
date: 2026/04/01
tags:
- attack.initial_access
- attack.execution
- attack.t1190
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\w3wp.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
filter_legit:
# Filter out known legitimate administrative paths if necessary, but be cautious
User|contains:
- 'ADMIN$'
- 'MOSS_' # Standard SharePoint Service Accounts often contain this
falsepositives:
- Legitimate administrative debugging (rare)
- Custom scripts executed by administrators
level: critical
---
title: SharePoint w3wp.exe Outbound Network Connection
id: 9b5c4d0e-2f3g-5b6c-9d7e-0f1a2b3c4d5e
status: experimental
description: Detects suspicious outbound network connections initiated by SharePoint IIS worker process, indicative of reverse shell or C2 activity.
references:
- CVE-2026-45659
author: Security Arsenal
date: 2026/04/01
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\w3wp.exe'
Initiated: 'true'
filter_standard_ports:
DestinationPort not in:
- 443
- 80
- 53
- 88
- 389
- 636
- 3268
- 3269
- 445
- 135
- 139
falsepositives:
- SharePoint plugins connecting to external APIs
- Search crawlers contacting external sources
level: high
KQL (Microsoft Sentinel / Defender)
Use this KQL query to hunt for process creation events involving the SharePoint worker process spawning common Living-Off-The-Land (LOL) binaries.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "regsvr32.exe", "rundll32.exe", "cscript.exe", "wscript.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessAccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc
Velociraptor VQL
This VQL artifact hunts for instances of w3wp.exe spawning child processes on the endpoint, useful for DFIR triage.
-- Hunt for w3wp.exe spawning suspicious child processes
SELECT Parent.Name AS ParentName, Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Parent.Name =~ "w3wp.exe"
AND Name IN ("cmd.exe", "powershell.exe", "pwsh.exe", "bash.exe")
Remediation Script (PowerShell)
This script assists in the verification of the patch for CVE-2026-45659. Note: Replace the $KBNumber variable with the specific KB Article ID released by Microsoft for this CVE once available.
# Script to verify SharePoint Patch for CVE-2026-45659
# Requires Administrator Privileges
$KBNumber = "KB504XXXXX" # REPLACE with actual Microsoft KB ID for CVE-2026-45659
$PatchInstalled = $false
Write-Host "[+] Checking for patch $KBNumber..." -ForegroundColor Cyan
# Check via Get-Hotfix
try {
$Hotfix = Get-Hotfix -Id $KBNumber -ErrorAction SilentlyContinue
if ($Hotfix) {
Write-Host "[SUCCESS] Patch $KBNumber is installed. Installed On: $($Hotfix.InstalledOn)" -ForegroundColor Green
$PatchInstalled = $true
}
}
catch {
# Get-Hotfix might fail if update superseded, check file versions as fallback
}
if (-not $PatchInstalled) {
Write-Host "[WARNING] Patch $KBNumber was not found via Get-Hotfix." -ForegroundColor Yellow
Write-Host "[+] Checking SharePoint DLL Versions..." -ForegroundColor Cyan
# Common SharePoint DLL path
$DLLPath = "${env:CommonProgramFiles}\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.dll"
if (Test-Path $DLLPath) {
$FileVersion = (Get-Item $DLLPath).VersionInfo.FileVersion
Write-Host "[INFO] Current Microsoft.SharePoint.dll Version: $FileVersion" -ForegroundColor White
# Logic: Compare against a known patched version baseline.
# Defenders must update the MinimumPatchedVersion based on official advisory.
$MinimumPatchedVersion = "16.0.17000.0000" # PLACEHOLDER VALUE
if ($FileVersion -ge $MinimumPatchedVersion) {
Write-Host "[INFO] File version indicates the system may be patched (verify $MinimumPatchedVersion)." -ForegroundColor Green
} else {
Write-Host "[ALERT] File version is below expected patched baseline. System likely vulnerable." -ForegroundColor Red
}
} else {
Write-Host "[INFO] SharePoint DLL not found at standard path. Is SharePoint installed on this host?" -ForegroundColor Gray
}
}
Remediation
- Patch Immediately: Apply the security updates released by Microsoft for CVE-2026-45659. Ensure all SharePoint Servers (Front-end and Back-end) are updated.
- Verify Patching: Run the PowerShell script above or manually verify the specific KB article is listed in "Installed Updates".
- Restrict Internet Access: If immediate patching is not possible, restrict access to SharePoint servers from untrusted networks (e.g., the Internet) via firewall policies or requiring VPN access.
- Audit IIS Logs: Review IIS logs for the last 30 days for unusual POST requests to
_layoutsor specific API endpoints that might correlate with exploitation attempts. - Official Advisory: Refer to the official Microsoft Security Update Guide for the specific update release details.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.