2026-07-02 – CISA Sounds Alarm: SharePoint Server RCE CVE-2026-45659 Added to KEV Catalog

CISA Sounds Alarm: SharePoint Server RCE CVE-2026-45659 Added to KEV Catalog

Executive Summary

The Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity remote code execution (RCE) vulnerability in Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2026-45659, this deserialization flaw carries a CVSS score of 8.8 and is actively being exploited in the wild.

An authenticated attacker with minimum “Site Member” permissions can leverage the vulnerability to execute arbitrary code on the hosting server. Due to active abuse in the wild, CISA has ordered all Federal Civilian Executive Branch (FCEB) agencies to apply the relevant vendor patches by July 4, 2026.

Deep-Dive Technical Analysis

CVE-2026-45659 resides in Microsoft SharePoint Server, arising from a deserialization of untrusted data issue. Deserialization vulnerabilities occur when an application takes structured user data, often in a serialized format, and reconstructs it back into program objects without proper verification.

An authenticated attacker with a low-privileged account—minimum of “Site Member” permissions (PR:L)—can exploit this vulnerability by submitting a carefully crafted serialized object payload to a vulnerable SharePoint endpoint over the network. When SharePoint deserializes the untrusted data, it executes malicious commands embedded in the payload on the server host machine. This RCE vector allows the attacker to execute code under the context of the service account running SharePoint, without requiring administrative or elevated privileges.

Vulnerability Profile

Metric

Details

CVE ID

CVE-2026-45659

Vulnerability Type

Deserialization of Untrusted Data

CVSS Score

8.8 (High)

Privileges Required

Low (Site Member)

The flaw affects:

* SharePoint Server Subscription Edition

* SharePoint Server 2019

* SharePoint Enterprise Server 2016

Microsoft addressed this vulnerability during its Patch Tuesday security updates in May 2026. However, active exploitation has since surfaced. Sophisticated ransomware groups have begun using the flaw as a pivot point for persistent access and lateral network movement, often deploying backdoors alongside other parallel exploit groups (such as Storm-2603) operating inside the same compromised networks.

Industry Impact and Recommendations

Microsoft SharePoint is widely deployed across enterprise and government networks as a centralized collaboration platform containing sensitive documents and corporate data. A remote code execution compromise of a SharePoint Server can lead to full host takeovers, widespread corporate data leaks, active ransomware deployment, and lateral network traversal to active directories or cloud databases.

We recommend that all system administrators take the following urgent security actions:

1. Apply Cumulative Security Updates immediately: Ensure your SharePoint deployments are fully updated with Microsoft’s May 2026 cumulative security updates. FCEB agencies must complete these upgrades before July 4, 2026.

2. Review User Privileges: Adhere to the principle of least privilege. Audit the accounts possessing “Site Member” permissions and remove or downgrade unnecessary privileges.

3. Monitor and Isolate SharePoint Servers: Isolate SharePoint Servers from public internet access wherever possible. Implement segmented network architecture to limit lateral movement.

4. Deploy Intrusion Detection Systems (IDS): Update IDS and endpoint protection rules to detect known SharePoint deserialization payloads and monitor for unauthorized child processes (e.g., cmd.exe or powershell.exe) spawned by the SharePoint w3wp.exe process.

References

* The Hacker News

* Cyber Recaps