Perimeter Risk: CISA Adds Microsoft SharePoint Server RCE Flaw (CVE-2026-45659) to KEV Catalog
Executive Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity remote code execution (RCE) vulnerability in Microsoft SharePoint Server (CVE-2026-45659) to its Known Exploited Vulnerabilities (KEV) catalog. First resolved by Microsoft in late May 2026, the flaw has now come under active, real-world exploitation by threat actors. Tracked under CVSS as an 8.8 (High) severity bug, this vulnerability allows authenticated local users with minimal privileges—such as basic “Site Member” access—to execute arbitrary code over a network on vulnerable on-premises SharePoint servers. Enterprises must apply security updates immediately to defend against active exploitation.
Technical Deep-Dive
Microsoft SharePoint Server is a widely deployed document management and collaboration platform used extensively across enterprise and government intranets.
The vulnerability, CVE-2026-45659, is a high-severity deserialization flaw categorized under CWE-502: Deserialization of Untrusted Data.
Attack Vector and Exploitation Mechanics:
1. Unsafe Deserialization: The flaw resides within SharePoint Server’s handling of serialized data objects during normal collaboration workflows. When the server processes serialized input sent across trust boundaries, it does so without sufficient type-validation.
2. Low-Privilege Exploitation: An attacker with basic network access and minimal authentication—specifically, “Site Member” permissions (PR:L)—can submit a custom-crafted serialized payload to a vulnerable SharePoint instance.
3. Arbitrary Code Execution: The SharePoint server deserializes the malicious payload, which forces the underlying application to instantiate arbitrary objects, achieving remote code execution.
4. Context: Because the exploit runs within the context of the SharePoint service account, successful exploitation can allow an attacker to bypass standard data isolation boundaries.
* CVE Identifier: CVE-2026-45659
* CVSS Score: 8.8 (High)
* Weakness Class: CWE-502 (Deserialization of Untrusted Data)
* Affected Products: Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Server 2016, and SharePoint Enterprise Server 2016.
Industry Impact and Threat Landscape
SharePoint servers serve as central repositories for corporate databases, proprietary documents, and strategic communication. Consequently, an RCE vulnerability on these servers is a major threat.
Because the vulnerability requires only low-level, authenticated member credentials (which can be easily obtained by threat actors via phishing, session hijacking, or credential reuse), any internet-facing or broadly accessible SharePoint server is at high risk. A successful compromise allows attackers to:
* Access, download, or delete confidential corporate files and documents.
* Extract corporate credentials and session materials.
* Establish administrative persistence on the local server.
* Move laterally across the enterprise network to compromise connected active directories and database environments.
CISA’s addition of CVE-2026-45659 to its KEV catalog confirms that threat groups are actively exploiting this vector to bypass perimeter controls in real-world campaigns.
Recommendations and Mitigations
Organizations operating on-premises SharePoint Server builds must implement the following security mitigations:
1. Deploy May 2026 Security Updates: Immediately install the official out-of-band Microsoft patches for your specific SharePoint Server build (Subscription Edition, 2019, or 2016).
2. Restrict Internal and External Exposure: Avoid exposing on-premises SharePoint portal interfaces directly to the public internet. Secure access behind a Virtual Private Network (VPN) or Zero Trust Network Access (ZTNA) gateway.
3. Audit Active Account Privileges: Review group memberships across your SharePoint sites. Keep the “Site Member” list restricted, and audit active directories for unusual or anomalous authenticated actions on SharePoint servers.
4. Implement File and Process Monitoring: Monitor SharePoint web services and processes (such as w3wp.exe) for anomalous child process execution (e.g., calling cmd.exe or powershell.exe).