0 Comments

Urgent Patch Required: Actively Exploited RCE Vulnerability in Microsoft SharePoint (CVE-2026-45659)

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning regarding a high-severity remote code execution (RCE) vulnerability in Microsoft SharePoint Server. On July 1, 2026, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that threat actors are actively leveraging this flaw in the wild. For organizations relying on on-premises SharePoint deployments, this disclosure represents an immediate call to action to verify patch status and harden their environments.

What is CVE-2026-45659?

CVE-2026-45659 is a “deserialization of untrusted data” vulnerability (CWE-502) affecting on-premises versions of Microsoft SharePoint Server. In the context of SharePoint, deserialization refers to the process where the application takes data from a stream and reconstructs it into an object. When this process is “unsafe”—meaning it doesn’t adequately validate the data being reconstructed—an attacker can craft a malicious serialized object that triggers the execution of arbitrary code upon processing.

With a CVSS 3.1 score of 8.8 (High), this vulnerability is particularly dangerous because it does not require administrative or even elevated privileges. An authenticated attacker with as little as “Site Member” permissions can successfully trigger the exploit across a network. In many corporate environments, these permissions are widely distributed among employees and contractors, significantly broadening the surface area for a potential internal breach or the escalation of a compromised account.

Affected Systems and Patched Versions

The vulnerability impacts on-premises installations of Microsoft SharePoint. Organizations should immediately check their build versions to ensure they are at or above the following patched levels:

  • SharePoint Server Subscription Edition: 16.0.19725.20280
  • SharePoint Server 2019: 16.0.10417.20128
  • SharePoint Enterprise Server 2016: 16.0.5552.1002

It is important to note that cloud-based users of SharePoint Online are not affected by this specific vulnerability, as Microsoft manages the patching and security of the underlying infrastructure in its cloud environment.

The Exploitation Landscape

When Microsoft first released patches for this flaw in May 2026, the initial assessment was that “Exploitation [was] Less Likely.” However, the landscape shifted rapidly. CISA’s decision to move this CVE into the KEV catalog indicates that real-world exploitation is occurring. Security researchers have noted that the barrier to entry is low; an attacker does not need advanced knowledge of the target system to execute the attack, making it an attractive target for both sophisticated groups and lower-skilled threat actors looking for a way to gain a foothold in enterprise networks.

Once an attacker achieves code execution, they operate within the context of the SharePoint worker process (w3wp.exe). From this vantage point, they can potentially move laterally through the network, access or destroy sensitive data stored in SharePoint libraries, or compromise the underlying server infrastructure to establish persistence.

Recommended Mitigation Steps

Relying on automatic updates is often not enough for complex SharePoint farms. Security teams should follow these multi-layered mitigation steps:

1. Immediate Patching and Verification

Verify that the May 2026 security updates (or later) have been applied to all servers in your SharePoint farm. Administrators should use the SharePoint Management Shell to verify the build version of every server using the command: (Get-SPFarm).BuildVersion. Remember that the update process is not complete until the SharePoint Products Configuration Wizard has been successfully run on every host.

2. Audit Site Permissions

Since the exploit requires a “Site Member” role, organizations should audit their SharePoint permissions. Remove any accounts that are stale or no longer require access. The principle of least privilege is critical here; users should only have the minimum level of access necessary for their job functions.

3. Enforce Multi-Factor Authentication (MFA)

Strong authentication remains the best defense against the initial stage of this attack. By enforcing MFA for all users, you significantly reduce the likelihood that a threat actor can use stolen credentials to gain the “Site Member” access needed to trigger the RCE.

4. Advanced Monitoring

Monitor your servers for anomalous child processes spawned by w3wp.exe. Unexpected application pool crashes or unauthorized modifications to files within SharePoint directories are also key indicators of compromise. Security Information and Event Management (SIEM) rules should be tuned to alert on these behaviors.

Conclusion

The transition of CVE-2026-45659 from a theoretical risk to an actively exploited vulnerability underscores the speed at which threat actors weaponize enterprise-grade software. For federal agencies, CISA has mandated a remediation deadline of July 4, 2026. For the private sector, the message is equally clear: if you are running on-premises SharePoint, the time to verify and patch is now. Don’t wait for a breach to discover that your systems are vulnerable.

Related Posts