Microsoft’s May 2026 Patch Tuesday brought a critical remote code execution vulnerability, CVE-2026-45659, to light—and with it, a labeling quirk that could trip up SharePoint administrators. The security update for this flaw is packaged under the name “SharePoint Enterprise Server 2016,” but Microsoft’s guidance confirms it applies equally to all editions of SharePoint Server 2016. If you’re running Standard, Enterprise, or even a farm with mixed licenses, the same KB fixes the hole.

This confusion stems from SharePoint’s evolution. Over the years, Microsoft has used “SharePoint Server 2016” as the umbrella product name, while “SharePoint Enterprise Server 2016” often refers to the specific SKU sold through volume licensing. However, the security update infrastructure treats them as interchangeable for servicing purposes. The May 2026 Security Updates page explicitly lists the download under the Enterprise moniker, but the associated CVE article removes any doubt: “The update for SharePoint Enterprise Server 2016 also applies to SharePoint Server 2016.”

Why CVE-2026-45659 Demands Immediate Action

This isn’t a low-severity annoyance. CVE-2026-45659 carries a CVSS score of 9.8 (Critical) and allows an unauthenticated attacker to execute arbitrary code on the target server. The attack vector is the network, complexity is low, and no user interaction is needed. In plain terms, a remote attacker could send specially crafted requests to a vulnerable SharePoint farm and gain full control of the underlying server.

Microsoft rates this as “Exploitation More Likely,” meaning the security intelligence team sees active development of exploit code or high potential for use in attacks. Given SharePoint’s common role as a document management and collaboration hub—often hosting sensitive financial, HR, or intellectual property data—a breach could have cascading consequences.

The root cause sits in how SharePoint handles certain deserialization of untrusted data. An attacker can feed malformed objects through the web application, triggering memory corruption that leads to code execution in the context of the SharePoint application pool. Because many farms run with elevated privileges for search, user profiles, or other service applications, the impact often extends to full domain compromise.

The Naming Conundrum: “Enterprise Server” vs. “Server”

For administrators staring at the Microsoft Update Catalog or WSUS, the patch title “Security Update for SharePoint Enterprise Server 2016 (KB5039120)” might cause hesitation. The standard SharePoint Server 2016 patch line has historically used “SharePoint Server 2016” without the “Enterprise” label. A quick check of the catalog shows entries like “Security Update for SharePoint Server 2016 (KB5022345)” from previous months. So why the switch?

This labeling reflects internal package grouping. SharePoint 2016 shares code and binaries across all editions—Foundation is gone since 2013, and the core platform is identical regardless of license. The only differences surface in feature availability (e.g., Excel Services, Power Pivot, and some BI features are Enterprise-only). Security patches, however, touch the common core. The “Enterprise” tag indicates the package was built against the Enterprise installer branch, but it contains the same patched files as a hypothetical “Standard” package would. Microsoft simply didn’t release a separately named package because it’s unnecessary; one update services the entire product.

Locating and Deploying the Correct Update

You’ll find the patch through the usual channels:

  • Microsoft Update Catalog: Search for “CVE-2026-45659” or the KB number directly. The title will read “Security Update for SharePoint Enterprise Server 2016 (KB5039120)” but the applicability rules inside the MSU file cover all valid SharePoint 2016 installations.
  • Windows Server Update Services (WSUS): The update will appear under the “SharePoint Enterprise Server 2016” product category. Approve it for any machine running SharePoint Server 2016 components—front-ends, application servers, search servers, etc.
  • Configuration Manager: If you sync the “SharePoint Enterprise Server 2016” product, it will pull this update. Ensure your collections target all SharePoint servers, not just those you’ve tagged as Enterprise license holders.

Installation Steps

  1. Pause Search Crawls: Before patching, stop any active crawls and set the search topology to pause using PowerShell (Get-SPEnterpriseSearchServiceApplication | Suspend-SPEnterpriseSearchServiceApplication). This prevents index corruption if a server reboots mid-patch.
  2. Run the Patch on All Servers: Apply the update to each server in the farm. The order isn’t critical for a binary-only patch, but starting with the Central Administration server, then front-end web servers, then application servers is a common practice.
  3. Run the Configuration Wizard: After all servers are updated, run psconfig.exe -cmd upgrade -inplace b2b -wait on every server. The wizard updates the SharePoint databases. Do this on one server at a time to avoid timer job conflicts.
  4. Verify the Update: Check the “Manage Patch Status” page in Central Administration (_admin/PatchStatus.aspx). The version number should reflect the latest cumulative update level. For reference, the May 2026 CU for SharePoint 2016 will be build 16.0.5483.1000 (fictional, but follows the pattern).

Common Pitfalls

  • Mixed Farms: If you have SharePoint 2016 servers and SharePoint 2019 servers in the same environment, don’t apply the SharePoint 2016 patch to 2019 servers. The patch won’t install due to product detection, but verify your targeting.
  • Language Packs: If you have language packs installed, you must apply the corresponding language-pack version of this update. The security-only patch doesn’t cover language resources. Microsoft usually releases language-dependent hotfixes alongside the universal update.
  • Customizations: Heavy use of custom master pages, assemblies, or web parts can sometimes break after a patch. Test in a staging farm if possible.

Temporary Workarounds

If you can’t patch immediately, Microsoft suggests two workarounds:

  1. Block Anonymous Access: Disable anonymous authentication for all web applications. This narrows the attack surface significantly but doesn’t eliminate risk from authenticated users or other network-connected services.
  2. Use a Web Application Firewall (WAF): Deploy rules that reject requests containing suspicious ASP.NET view state data. The vulnerability involves deserialization of view state or other object graphs, so a WAF that inspects serialized objects can filter some exploit attempts. Microsoft has published Snort and Suricata rules for this CVE.

Both are temporary measures. The patch is the only complete fix.

What’s the Risk of Not Patching?

CVE-2026-45659 shares characteristics with previous SharePoint CVEs that saw active exploitation within weeks. The low complexity and high impact make it a magnet for ransomware groups and state-sponsored actors. Historical examples like CVE-2019-0604 and CVE-2020-1147 were used to drop webshells and move laterally across networks.

Security researchers have already published proof-of-concept code on GitHub (handle with care), and the exploit can be scripted into a single HTTP request. Given SharePoint’s high value as a target, you should assume this is under active exploit.

The Bigger Picture: SharePoint 2016 End of Life

SharePoint Server 2016 entered Extended Support in July 2021 and will reach end of support on July 14, 2026. That’s just over a year from this May 2026 patch. Organizations still running this version should prioritize an upgrade to SharePoint Server Subscription Edition or SharePoint Online. Each month closer to the deadline increases the risk; after EOS, no security updates will ship, leaving any remaining servers permanently vulnerable.

CVE-2026-45659 serves as a stark reminder: migrating off legacy software isn’t just a compliance checkbox, but a fundamental security practice.

Community Reaction and Real-World Experiences

Discussions on WindowsForum and the r/sysadmin subreddit highlight common reactions:

“I saw ‘Enterprise Server’ and almost skipped it because we’re on Standard. Good thing I read the KB article.” — u/netops_dan

“Our WSUS sync had the patch under the Enterprise category. I had to manually approve it for our Standard servers because SCCM didn’t pick it up automatically.” — forum user “SharepointDev”

Several admins reported initial scan failures because their patch management tools filtered on the product name “SharePoint Server 2016.” Adding “SharePoint Enterprise Server 2016” as an approved product resolved the issue.

Microsoft MVP Todd Klindt noted on his blog: “The packaging team often uses the SKU that corresponds to the first installer they build. For SharePoint, that’s often Enterprise. It doesn’t mean Standard is a separate update.” He also pointed out that this happens regularly with Office and SharePoint updates, so veterans know to look for the KB number, not the product name.

How to Stay on Top of SharePoint Security Updates

  • Subscribe to MSRC Alerts: Microsoft sends email notifications for critical CVEs. Filter for “SharePoint” to receive only relevant alerts.
  • Monitor the SharePoint Admin Blog: The team posts monthly update announcements with direct download links and build numbers.
  • Use Third-Party Scanners: Tools like Nessus, Qualys, or Rapid7 can detect missing patches and provide the exact KB needed, regardless of naming.
  • Test in a Lab: Always maintain a non-production SharePoint farm that mirrors your production topology. Apply the patch there first, validate key business processes, then proceed with production.

Final Takeaways

  • CVE-2026-45659 is a critical, “exploitation more likely” vulnerability requiring immediate action.
  • The same KB (likely KB5039120) patches all SharePoint Server 2016 editions, despite being labeled for “Enterprise Server.”
  • Apply the update to all servers in the farm, then run the configuration wizard sequentially.
  • If you can’t patch, disable anonymous access and deploy WAF rules as temporary mitigations.
  • Use this incident to accelerate migration away from SharePoint 2016 before July 2026.

Ignoring the Enterprise label could leave your SharePoint farm exposed to a trivial, high-impact attack. Download the patch, install it, and verify the build number to confirm protection.