Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CISA Flags SharePoint RCE (CVE-2026-45659) for Active Exploitation
Jul 02, 2026
5 Mins Read
Moon

CISA Flags SharePoint RCE (CVE-2026-45659) for Active Exploitation

CISA has added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog as of July 1, 2026, indicating active exploitation. The vulnerability affects on-prem Microsoft SharePoint Server and can lead to remote code execution (RCE) via deserialization of untrusted data.

Microsoft shipped fixes as part of its May 2026 security updates, but KEV inclusion should change how teams prioritize remediation. Federal entities and organizations should prioritize this as an immediate action item, ensuring that all vulnerable SharePoint farms are patched and verified without delay.

What Is CVE-2026-45659?

CVE-2026-45659 (CVSS 8.8) is a Microsoft SharePoint Server (on‑prem) vulnerability caused by deserialization of untrusted data (mapped to CWE-502). In practice, SharePoint can be coerced into processing attacker-controlled serialized objects in a way that results in code execution on the server.

The vulnerability is network reachable and does not require user interaction, but the attacker must be authenticated to SharePoint.

Details of CVE-2026-45659 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-45659 (SOCRadar Vulnerability Intelligence)

CISA’s KEV record for CVE-2026-45659 sets a remediation due date of July 4, 2026. Notably, the entry marks its use in ransomware campaigns as “Unknown,” meaning there’s no confirmed link to ransomware operators at this time.

CISA’s listing for CVE-2026-45659

CISA’s listing for CVE-2026-45659

Public reporting has not clarified who is exploiting the flaw or the full exploitation chain, but KEV inclusion means CISA has evidence exploitation is occurring.

Which SharePoint Versions Are Affected?

This issue impacts on‑prem SharePoint Server, not SharePoint Online.

Affected versions are those below the following patched build numbers:

  • SharePoint Enterprise Server 2016: < 16.0.5552.1002
  • SharePoint Server 2019: < 16.0.10417.20128
  • SharePoint Server Subscription Edition: < 16.0.19725.20280

If you run SharePoint in a multi-server farm, validate build versions across the farm, not just on a single host.

What Are the Exploitation Preconditions and Risk Profile?

Microsoft’s advisory for CVE-2026-45659 rated exploitation as “Exploitation Less Likely,” but CISA’s recent KEV update shows exploitation is happening in practice.

Key security characteristics from the vulnerability record:

  • Attack vector: Network
  • Complexity: Low
  • Privileges required: Low (authenticated)
  • User interaction: None
  • Impact: High for confidentiality, integrity, and availability

A notable detail is that exploitation can be performed by an authenticated attacker with minimal “Site Member” permissions. That expands the threat model beyond administrators and service accounts.

Confirmed vs. Unconfirmed Technical Details

Confirmed (high level):

  • The weakness is unsafe deserialization that can lead to RCE.
  • The attacker must be authenticated and needs only low privileges (reported as “Site Member”).

Not publicly confirmed:

  • The specific SharePoint component or endpoint involved.
  • The gadget chain or payload delivery mechanics.
  • Detailed indicators tied to in-the-wild exploitation.

Timeline of CVE-2026-45659: Patch to KEV

  • May 2026: Fixes for CVE-2026-45659 shipped with Microsoft’s May 2026 security updates.
  • ~May 21–22, 2026: CVE record published with CVSS vector and description.
  • May 26–27, 2026: Microsoft updated its advisory to clarify that the fix had already been included in the May 2026 updates, but the CVE had been inadvertently omitted from the initial May Security Updates list.
  • June 17, 2026: Affected version ranges updated in vulnerability records.
  • July 1, 2026: CISA adds CVE-2026-45659 to KEV, indicating active exploitation. Remediation due date set for July 4, 2026.

How SOCRadar Can Help With Prioritization

Teams managing large vulnerability backlogs often struggle to separate “important” from “exploited.” SOCRadar XTI can support this workflow using:

  • Cyber Threat Intelligence to track CVEs that move into exploitation-driven categories (including KEV additions).
  • Attack Surface Management (ASM) to identify which SharePoint assets are internet-facing or exposed through unexpected paths, helping focus remediation where risk is highest.

Together, these capabilities help vulnerability managers and SOC teams align patching priorities with exploitation signals.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

What Security Teams Should Do Now

With CISA’s due date of July 4, 2026, federal agencies and organizations following BOD 26-04 guidance should treat this as an immediate action item – patching and verification should be completed within the next few days and treated as an emergency change.

Patch and Verify Build Versions

Apply Microsoft’s fixes and confirm the SharePoint build numbers meet or exceed:

  • 2016: 16.0.5552.1002
  • 2019: 16.0.10417.20128
  • Subscription Edition: 16.0.19725.20280

Also confirm patch consistency across web front ends, application servers, and any dedicated service roles in the farm.

Review Authentication Exposure and Least Privilege

Because exploitation requires authentication, reduce the likelihood of attackers gaining valid access:

  • Audit who has Site Member access across sensitive sites.
  • Review external sharing, partner access models, and dormant accounts.
  • Tighten conditional access and multi-factor authentication (MFA) enforcement for SharePoint access paths where applicable.

Increase Monitoring for Suspicious SharePoint Activity

Public sources do not provide a definitive exploitation pattern, so focus on behavior-based signals:

  • Unusual processes spawned by IIS worker processes on SharePoint servers.
  • Unexpected application pool crashes, restarts, or anomalous CPU usage.
  • New or modified files in SharePoint-related directories that do not align with normal admin activity.
  • Suspicious authentication patterns leading into SharePoint, especially for accounts that typically do not access it.

If you have EDR coverage on SharePoint servers, confirm detections and policies apply to IIS-related execution chains, and ensure telemetry retention supports incident response.