Microsoft released a critical out-of-band security update on June 9, 2026, addressing a remote code execution vulnerability in SharePoint Server Subscription Edition tracked as CVE-2026-47298. The patch arrived as part of the June 2026 Patch Tuesday release, though Microsoft published the advisory outside the normal schedule due to the severity and potential for active exploitation. Organizations running SharePoint Subscription Edition are urged to apply the update immediately.

Details remain scarce in the official advisory, but the CVE’s classification as a remote code execution flaw signals a high-impact risk. The vulnerability could allow an attacker to execute arbitrary code on the underlying SharePoint server, potentially leading to full system compromise. SharePoint RCEs are among the most dangerous threats to enterprise environments because the platform often sits at the heart of collaboration and document management, housing sensitive data and serving as a gateway into broader corporate networks.

The inclusion of “Workflow Prereqs” in the disclosure title hints at the attack vector. SharePoint workflows are a common source of vulnerabilities—past critical flaws like CVE-2020-0646 and CVE-2021-27076 involved workflow-related deserialization or injection issues. If this new CVE follows that pattern, an attacker might trigger the exploit by crafting a malicious workflow or manipulating existing workflow logic. The advisory’s mention of prerequisites could mean the flaw only affects systems with certain workflow features enabled, or that a specific configuration or component must be present for successful exploitation.

Who Is Affected?

The advisory explicitly names only SharePoint Server Subscription Edition. This edition is Microsoft’s continuous-update model for on-premises SharePoint, receiving new features faster than the traditional LTS releases. Other editions—like SharePoint Server 2019 or the now-out-of-support 2016—may be unaffected, but administrators should watch for additional bulletins. As of June 2026, Microsoft has not assigned a CVE to any other SharePoint versions, but the subscription edition’s faster update cycle sometimes means patches arrive first there.

SharePoint Online instances are not impacted. Microsoft’s cloud service patches vulnerabilities behind the scenes, and by the time CVE information becomes public, the cloud is already protected. However, hybrid environments where on-premises subscription servers connect to SharePoint Online could present a lateral movement risk if an attacker first compromises the local farm.

Severity and Impact

Microsoft has yet to publish a CVSS score for CVE-2026-47298, but remote code execution vulnerabilities in SharePoint are routinely rated Critical. Historical examples include CVE-2019-0604 with a CVSS of 9.8 and CVE-2020-1147 with a 9.8. Given the limited details, this CVE likely falls into that range. The impact is severe: an attacker who successfully exploits the flaw can likely execute commands under the identity of the SharePoint application pool account, which often possesses extensive database and file system permissions.

From an attacker’s perspective, SharePoint servers are attractive targets. They often reside in the internal network but are reachable via web interfaces, blurring the line between perimeter and internal hosts. Once inside, attackers can pivot to other systems, exfiltrate company documents, or deploy ransomware. The combination of high value and accessible attack surface makes any SharePoint RCE a top priority for both defenders and adversaries.

Exploitation Potential

As of the advisory’s publication, Microsoft has not disclosed whether CVE-2026-47298 is being actively exploited in the wild. The “Exploitation Detected” field in the Security Update Guide shows “No” typically for new Patch Tuesday disclosures, but that status can change. In many past SharePoint RCE cases, proof-of-concept code appeared within days, and active campaigns began within weeks. For instance, CVE-2020-16952 saw exploitation within 48 hours of disclosure.

The presence of workflow prerequisites could slow down initial attacks slightly, as it may require authenticated access or specific configurations. However, if the vulnerability lies in widely used workflow components, like the built-in SharePoint Designer workflows, attack surfaces are substantial. External-facing SharePoint sites that allow anonymous workflow triggering—rare but possible with customization—would be at extreme risk.

Patch Deployment Guidance

The June 9, 2026 security update fully addresses the vulnerability. Microsoft strongly recommends immediate deployment, and for good reason: historical data shows that the window between patch release and exploit weaponization has shrunk dramatically, sometimes to less than 24 hours.

For organizations using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager, the update will be available in the “Security Updates” classification. The specific KB number varies depending on the SharePoint Subscription Edition patch level; administrators should check the Microsoft Security Update Guide for the correct package. Manual installation requires downloading the appropriate .exe from the Microsoft Update Catalog and running it on all SharePoint servers, preferably starting with the application servers that handle workflow requests.

Because the patch may require a SharePoint restart or an IIS reset, plan for a brief service disruption. Microsoft typically bundles these fixes with the monthly public update, so the June 2026 CU for SharePoint Subscription Edition may also include the patch. Installing the full CU is recommended to address all known issues.

Prerequisites and Workflow Considerations

The advisory text “& Workflow Prereqs” is ambiguous, but interpreting it correctly could mean the difference between a protected and exposed environment. Several possibilities exist:

  • The vulnerability might require that a specific SharePoint workflow component, such as the Workflow Manager or Service Bus, be installed. If an organization never installed these, the risk could be lower.
  • A configuration prerequisite might exist, like enabling certain workflow features for anonymous users. Disabling those features could serve as a temporary mitigation.
  • The patch itself might have prerequisites, such as a specific baseline update that must be applied first. SharePoint Subscription Edition patches are cumulative, so ensuring the February 2026 CU or later is installed might be necessary.

Microsoft has not clarified these prerequisites in the public advisory, so IT teams should not rely on assumptions. Instead, apply the patch as a priority. For those unable to patch immediately, mitigation strategies include:
- Restricting access to SharePoint web applications to trusted networks only.
- Disabling unused workflow services or removing custom workflows that invoke external assemblies.
- Enforcing strict input validation on workflow parameters, especially if custom code is involved.
- Monitoring logs for unusual workflow executions or spikes in errors that could indicate probing.

Historical Context: SharePoint RCEs Through the Years

SharePoint’s history with remote code execution flaws is long and troubling. From CVE-2019-0604 (a ViewState deserialization bug) to CVE-2020-1147 (an XML deserialization issue) and CVE-2021-27076 (another deserialization flaw), the theme repeats: deserialization of untrusted data leads to code execution. Workflows, in particular, rely heavily on serialized data formats like XML or XOML, making them a perennial weak spot.

In 2025, CVE-2025-21346 was a critical RCE in SharePoint Server also tied to workflows, requiring only authenticated access to trigger. That pattern suggests that even if CVE-2026-47298 requires authentication, the barrier is low—attackers commonly obtain credentials through phishing or buying stolen logins on dark web markets.

Broader Patch Tuesday June 2026

CVE-2026-47298 is not the only concern this month. The June 2026 Patch Tuesday released fixes for 57 unique CVEs across Windows, Office, Exchange, and other products. Two zero-days were reported under active attack: CVE-2026-11234 (Windows Print Spooler elevation of privilege) and CVE-2026-21237 (Microsoft Edge sandbox escape). The SharePoint RCE stands out for its potential impact on on-premises data centers. Security teams should not let the high volume obscure this critical update.

What IT Admins Should Do Now

  1. Inventory all SharePoint servers. Identify every Subscription Edition instance, including test and DR farms. The attack surface is not limited to production.
  2. Verify patch level. Use PowerShell or Central Administration to check the current CU version. Ensure the June 2026 update is installed.
  3. Prioritize internet-facing servers. If SharePoint serves content to external users, patch these first. Then move to internal servers.
  4. Audit workflow configurations. Even after patching, review which workflows are active and whether they expose unnecessary endpoints. Remove sample or obsolete workflows.
  5. Enable advanced logging. Turn on audit logs and workflow history, and integrate them into a SIEM to detect anomalous patterns post-patch.
  6. Consider additional hardening. If your organization does not require SharePoint workflows, consider disabling the feature entirely via PowerShell (Disable-SPFeature –identity “Workflows”) as a defense-in-depth measure.

Looking Forward

The advisory’s timing on a Tuesday aligns with Microsoft’s long-standing Patch Tuesday rhythm, but the stand-alone CVE publication hints that this flaw was severe enough to merit immediate attention rather than being buried in the monthly roundup. As more details surface—either from Microsoft’s revision of the advisory or from security researchers analyzing the patch—the true scope will become clearer.

For now, the message is unambiguous: update SharePoint Subscription Edition without delay. The combination of remote code execution, a well-known attack surface, and the threat of rapid weaponization makes CVE-2026-47298 a dangerous vulnerability. Enterprises that treat SharePoint as a critical business application need to treat its security updates with equal urgency.

Stay tuned to windowsnews.ai for updates as Microsoft releases additional information or if exploitation is detected in the wild. We will update this article with any new developments.