Microsoft SharePoint CVE-2026-45659 RCE exploitation
Summary
CVE-2026-45659 is a Microsoft SharePoint Server remote-code-execution vulnerability caused by deserialization of untrusted data. CISA added the flaw to the Known Exploited Vulnerabilities catalog on July 1, 2026, citing known exploitation and a July 4, 2026 remediation due date for covered agencies.
Microsoft's Security Update Guide describes the bug as network-exploitable by an authenticated attacker with at least Site Member permissions; successful exploitation can execute code remotely on the SharePoint Server. Microsoft originally rated exploitation as less likely, but CISA's KEV addition makes this an active-exploitation priority for exposed or high-trust SharePoint deployments.
Tags
- ops
- operations
- active exploitation
- CISA KEV
- Microsoft
- SharePoint
- SharePoint Server
- Microsoft Office SharePoint
- CVE-2026-45659
- remote code execution
- deserialization
- CWE-502
- authenticated RCE
- Site Member permissions
- enterprise applications
- collaboration platforms
- internet-facing applications
- patch management
Why this matters
- SharePoint often holds sensitive documents, workflow data, identity-integrated application access, and internal collaboration content.
- The vulnerability is authenticated rather than unauthenticated, but Microsoft's FAQ says any authenticated attacker with minimum Site Member permissions could trigger the issue; compromised low-privilege accounts may therefore become a server-side execution path.
- The CVSS vector is network / low complexity / no user interaction / low privileges with high confidentiality, integrity, and availability impact (
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). - CISA's July 1 KEV entry confirms exploitation in the wild and sets a short July 4 remediation window under BOD 26-04.
- The issue was addressed by May 2026 SharePoint updates but was initially omitted from the May 2026 Security Update Guide, so patch status should be verified directly rather than inferred from change-management labels alone.
Public vulnerability detail
- Affected products: Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition.
- Affected versions from NVD / Microsoft CNA data:
- SharePoint Enterprise Server 2016 before
16.0.5552.1002. - SharePoint Server 2019 before
16.0.10417.20128. - SharePoint Server Subscription Edition before
16.0.19725.20280. - Vulnerability class: deserialization of untrusted data (
CWE-502). - Access requirement: authenticated network access; Microsoft says the attacker needs minimum Site Member permissions and does not need admin or other elevated privileges.
- Impact: remote code execution on the SharePoint Server.
- Severity: Microsoft
Important; CVSS base score8.8. - Known exploitation: CISA KEV date added
2026-07-01; known ransomware use listed as unknown. - Remediation due date for covered U.S. federal agencies:
2026-07-04.
Defender heuristics
- Inventory all SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition farms, especially internet-facing portals, partner-access sites, extranet deployments, and high-trust internal collaboration farms.
- Confirm that May 2026 or later security updates are installed and that build numbers meet or exceed the fixed versions listed above; do not rely solely on ticket labels because Microsoft says the CVE was initially omitted from the May 2026 Security Updates publication.
- Treat unpatched internet-exposed or broadly accessible SharePoint farms as active-exploitation candidates; preserve IIS, ULS, Windows event, EDR, reverse-proxy, WAF, and authentication logs before disruptive cleanup.
- Hunt for suspicious low-privilege SharePoint account activity followed by server-side execution indicators, new web-accessible files, unexpected timer jobs, workflow changes, application pool anomalies, or unusual child processes from SharePoint / IIS worker processes.
- Review Site Member and external-user membership for sensitive SharePoint sites; remove stale accounts, guest accounts, service accounts, and broad groups that do not need write or member-level access.
- Correlate SharePoint requests with identity telemetry for compromised-account signs: impossible travel, token replay, abnormal user agents, VPN/proxy sources, unexpected legacy authentication, or unusual access to multiple sites before exploitation.
- Rotate credentials and secrets exposed to affected SharePoint servers after containment, including application pool identities, database credentials, service principals, stored workflow credentials, and any secrets in document libraries or configuration stores.
- For internet-facing farms, restrict access through VPN/ZTNA, identity-aware proxy, or network allow-lists where possible; add detections for authenticated low-privilege users reaching administrative, workflow, or unusual server-side endpoints.
Related pages
- Storm-2603 parallel SharePoint ransomware intrusion
- PTC Windchill / FlexPLM CVE-2026-12569 exploitation
- Oracle E-Business Suite CVE-2026-46817 exploitation
Sources
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- CISA KEV JSON feed: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
- Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45659