The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert by adding CVE-2026-45659, a high-severity remote code execution (RCE) vulnerability in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalog. This action was taken due to confirmed evidence of active exploitation in the wild. The vulnerability, which carries a CVSS score of 8.8, allows an authenticated attacker with low-level permissions to execute arbitrary code on a target server. In response, CISA has issued a Binding Operational Directive (BOD) requiring all Federal Civilian Executive Branch (FCEB) agencies to apply the necessary security updates by July 4, 2026. Given SharePoint's widespread use for data storage and collaboration, this vulnerability presents a significant and immediate threat to both public and private sector organizations.
The vulnerability, identified as CVE-2026-45659, is a remote code execution flaw resulting from the insecure deserialization of untrusted data within Microsoft SharePoint Server. An attacker must be authenticated to the target SharePoint site with at least Site Member permissions to exploit this flaw. This low privilege requirement makes the vulnerability particularly dangerous, as a compromise of any basic user account could lead to a full server takeover.
According to Microsoft, the attack complexity is low, meaning an adversary can achieve repeatable success without deep technical knowledge of the target environment. By sending a specially crafted request to a vulnerable SharePoint server, an attacker can trigger the deserialization of a malicious object, leading to code execution in the context of the SharePoint application pool process.
The vulnerability affects the following Microsoft SharePoint Server versions:
Microsoft released out-of-band security updates in late May 2026 to address this issue.
As of July 1, 2026, CVE-2026-45659 is being actively exploited in the wild. CISA's inclusion of the vulnerability in the KEV catalog confirms these reports. While specific details about the threat actors or their objectives have not been publicly disclosed, the exploitation of SharePoint vulnerabilities is a common tactic for initial access, data exfiltration, and lateral movement, often as a precursor to ransomware deployment.
A successful exploit of CVE-2026-45659 could have a devastating impact on an organization. Attackers could gain complete control over the SharePoint server, allowing them to:
Given that SharePoint often integrates with other critical business systems, the blast radius of a compromise can be extensive, leading to significant financial loss, reputational damage, and regulatory penalties.
The following patterns may help identify vulnerable or compromised systems:
w3wp.execmd.exe, powershell.exe, or rundll32.exe..aspx, .php, .jsp) in SharePoint web directories, which could indicate web shell deployment.Security teams should implement the following detection strategies:
w3wp.exe process spawning command shells, as mentioned in the observables. This aligns with D3FEND's Process Analysis (D3-PA).Due to active exploitation, immediate action is required.
Applying the security patches provided by Microsoft is the most critical step to remediate this vulnerability.
Mapped D3FEND Techniques:
Implement comprehensive logging and auditing for SharePoint servers to detect signs of exploitation and post-compromise activity.
Mapped D3FEND Techniques:
Restrict access to the SharePoint server's management interfaces and services to only authorized personnel and systems.
Mapped D3FEND Techniques:
Employ security solutions that can detect and block exploitation techniques, such as those targeting deserialization flaws.
Mapped D3FEND Techniques:
Immediately prioritize the deployment of the May 2026 out-of-band security update for Microsoft SharePoint Server across all affected assets. Due to the 'critical' severity and active exploitation of CVE-2026-45659, a risk-based approach should be taken. Internet-facing SharePoint servers must be patched first, ideally within 24 hours, followed by internal production servers within 72 hours. Use automated patch management systems to ensure rapid and consistent deployment. Before rolling out to production, test the patch in a staging environment to identify any potential operational conflicts. After deployment, run authenticated vulnerability scans to verify that the patch has been successfully applied and that no systems were missed. This countermeasure is the definitive method to eliminate the vulnerability and prevent initial exploitation.
Deploy an Endpoint Detection and Response (EDR) solution on all SharePoint servers to perform continuous process analysis. Specifically, configure detection rules to monitor the SharePoint worker process (w3wp.exe). Create high-severity alerts for any instance where w3wp.exe spawns suspicious child processes, such as command shells (cmd.exe, powershell.exe) or scripting engines (cscript.exe, wscript.exe). Since legitimate SharePoint operations should not trigger such behavior, these events are high-confidence indicators of compromise. Establishing a baseline of normal process activity for your SharePoint environment is crucial for reducing false positives. This technique provides a critical detection layer for post-exploitation activity, catching the attacker immediately after they leverage CVE-2026-45659 to execute code.
Implement network segmentation to strictly control access to SharePoint servers. Place SharePoint servers in a dedicated network zone with restrictive firewall rules. Egress filtering should be applied to block all outbound traffic from SharePoint servers by default, only allowing connections to specific, required internal and external services (e.g., database servers, domain controllers, mail servers). This helps contain the impact of a compromise by preventing the attacker from easily pivoting to other parts of the network or establishing a command-and-control channel. For internet-facing SharePoint servers, use a Web Application Firewall (WAF) to inspect incoming traffic for malicious patterns that may indicate exploitation attempts. This serves as a critical compensating control if patching is delayed.
Microsoft releases out-of-band security updates to patch CVE-2026-45659.
CISA adds CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog.
Deadline for U.S. Federal Civilian Executive Branch agencies to apply the patch for CVE-2026-45659.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.