Microsoft’s June 2026 security update bundle dropped a critical patch that every SharePoint administrator needs to apply immediately. Tucked inside the Security Update Guide under CVE-2026-45454 is a remote code execution (RCE) vulnerability that affects on-premises SharePoint servers. The flaw carries a CVSS score of 9.8, making it one of the most severe SharePoint bugs disclosed this year.

RCE vulnerabilities in SharePoint are the digital equivalent of handing an attacker the keys to your entire collaboration kingdom. An unauthenticated attacker can exploit this specific weakness over the network, gaining the ability to execute arbitrary code with the privileges of the SharePoint application pool identity. In practice, that means a foothold that can quickly escalate to full domain compromise—document libraries, custom workflows, and sensitive data all become fair game.

The vulnerability stems from improper deserialization of user-supplied input within a core SharePoint component. Deserialization flaws have haunted SharePoint since the 2010s; they allow attackers to craft malicious payloads that the server interprets as legitimate commands. CVE-2026-45454 follows in that tradition, requiring no user interaction and no authentication, which is why the severity rating jumped to Critical.

Attackers are already circling. Within 48 hours of the patch’s release, multiple proof-of-concept (PoC) exploits appeared on code-sharing platforms. One well-known threat intelligence firm reported seeing active scanning for internet-facing SharePoint servers trying to fingerprint vulnerable versions. If history repeats, we’ll see wormable exploits within the next week—recall how CVE-2019-0604 and the infamous CVE-2020-1181 SharePoint RCEs were weaponized within days of disclosure.

Who is affected?

Any organization running on-premises SharePoint Server versions that receive extended support from Microsoft is within the blast radius. Specifically, SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 are confirmed vulnerable. SharePoint Foundation 2013, still clinging to life in some legacy environments, is also impacted, though extended support ended for that version in April 2023. For those still running it, you’re on your own—Microsoft won’t be shipping a fix.

The vulnerability does not affect SharePoint Online. Microsoft’s cloud service runs on a different codebase and had the same underlying deserialization issue mitigated through service-side changes months ago, before the June 9 disclosure date. This is yet another reminder that maintaining on-premises SharePoint is a security responsibility that requires constant vigilance.

How does the exploit work?

While Microsoft hasn’t published the full technical breakdown (and for good reason), security researchers who reverse-engineered the patch point to the _layouts/15/Upload.aspx page as the likely entry point. The page improperly validates data streams during file upload operations, allowing an attacker to inject a crafted payload that triggers deserialization in the Business Connectivity Services (BCS) engine. Once the gadget chain fires, the attacker achieves code execution under the service account context.

This isn’t a theoretical exercise. A researcher who asked to remain anonymous demonstrated a working exploit over the weekend that installs a persistent webshell on a fully patched SharePoint 2019 server except for the June 2026 update. The attack requires a single HTTP POST request. No login. No user click. Just network access to the web front-end.

Patch or perish

Microsoft released KB5034865 for SharePoint Server Subscription Edition, KB5034866 for SharePoint Server 2019, and KB5034867 for SharePoint Server 2016. These updates do more than simply patch CVE-2026-45454; they also include a defense-in-depth hardening of the BCS deserialization process that should block entire classes of similar attacks. The company strongly recommends flipping the AutoSPInstaller switches to apply the patch as part of the normal monthly servicing routine.

For administrators, the upgrade path is straightforward:

  • Download the appropriate patch from the Microsoft Update Catalog.
  • Run the executable on each server in the farm, starting with the server hosting Central Administration.
  • Execute the SharePoint Products Configuration Wizard on each server to complete the update.
  • Verify that all services and application pools are running smoothly.

Microsoft’s guidance also includes a one-click mitigation for those who cannot patch immediately. You can disable the BCS service application entirely—but that breaks any solutions relying on external content types. A more surgical approach is to block access to _layouts/15/Upload.aspx via URL Rewrite rules in IIS, though this may interfere with legitimate file upload functionality.

SharePoint RCE: A harrowing history

CVE-2026-45454 didn’t materialize in a vacuum. SharePoint has been a favourite target for RCE exploits dating back to the CVE-2010-3332 era. The 2019-2021 period was especially brutal:

  • CVE-2019-0604 (2019): A deserialization flaw exploited in the wild by Chinese state-sponsored group APT41.
  • CVE-2020-1181 (2020): A bypass of a previous patch that allowed “one-shot” RCE on unpatched 2016 and 2019 servers.
  • CVE-2020-16952 (2020): Another deserialization bug that Microsoft rated as Important despite being trivially exploitable.
  • CVE-2021-24066 (2021): A post-authentication RCE chained with other vulns to achieve unauthenticated compromise.

In almost every case, PoC exploits landed within days, and full-fledged attacks followed shortly after. The timeframe isn’t likely to be different this time.

What should defenders do?

The number-one priority is patching. If your organization has a change management process that forces a delay, invoke the emergency change procedure. The risk of exploitation far outweighs the risk of a service interruption from an untested patch. For those who need ammunition to convince management, point to the CVSS score, the active scanning, and the fact that SharePoint servers often hold crown-jewel data.

While patching, consider these additional hardening steps:

  • Limit network exposure: SharePoint servers should never be directly exposed to the internet. Use a reverse proxy with strict filtering, and restrict access to known IP ranges.
  • Enable IIS logging and monitoring: Look for POST requests to _layouts/15/Upload.aspx with unusually large payloads or patterns that deviate from normal file uploads.
  • Isolate service accounts: The SharePoint application pool identity should not have local administrator rights or domain privileges beyond what’s absolutely necessary. Consider using Managed Service Accounts.
  • Deploy web application firewalls (WAF): A properly configured WAF can block deserialization attacks by inspecting request bodies for malicious binary patterns.
  • Assume breach: Conduct a hunt for webshells and anomalous scheduled tasks. Many attackers will exploit this type of flaw to establish persistence before the patch is applied.

The bigger picture

CVE-2026-45454 arrives as organizations are still grappling with the fallout from the Exchange Server zero-days earlier in 2026 and a series of Microsoft 365 phishing campaigns. Cybercriminals and nation-state actors are increasingly targeting on-premises collaboration platforms because they represent a single point of failure for organizational knowledge. Once inside SharePoint, attackers can pivot to Active Directory, read email via Exchange, and exfiltrate years of intellectual property.

Microsoft’s aggressive move to push customers toward SharePoint Online and Microsoft 365 has left many on-premises deployments feeling like second-class citizens. Yet plenty of enterprises remain tied to on-premises or hybrid setups due to compliance requirements, data sovereignty concerns, or the complexity of migrating custom solutions. For those customers, Patch Tuesday is a non-negotiable ritual.

The June 2026 patch also includes fixes for CVE-2026-45445 (a SharePoint XSS that can lead to session hijacking) and CVE-2026-45446 (a SQL Server Reporting Services SSRF), but none carry the weight of CVE-2026-45454. SharePoint admins might grumble about the constant stream of patches, but the alternative—a front-page headline about a data breach—is far worse.

What happens next?

If you’re reading this and haven’t patched yet, stop. Apply the update. Disable BCS if you can’t patch right now. Monitor your network flows for signs of scanning. The countdown to exploitation is measured in days, not weeks.

Microsoft will likely release more detailed IoCs (Indicators of Compromise) in the coming days via the MSRC blog and partner channels. The community will also undoubtedly publish Snort/Suricata rules and Sigma detections. Use them. This is not the vulnerability to sit on.

SharePoint’s attack surface may evolve, but the defense equation remains constant: patch fast, harden furiously, and assume every missed update is an open door. CVE-2026-45454 is the one that’s trying to kick that door in right now.