CISA Adds High-Severity SharePoint RCE Vulnerability (CVE-2026-45659) to KEV Catalog Amid Active Exploitation

CISA Adds Actively Exploited SharePoint RCE Flaw to KEV Catalog, Mandates Urgent Patching

CRITICAL
July 2, 2026
5m read
VulnerabilityPatch ManagementCyberattack

Related Entities

Organizations

CISA Microsoft Federal Civilian Executive Branch (FCEB)

CVE Identifiers

CVE-2026-45659
HIGH
CVSS:8.8

Full Report

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert by adding CVE-2026-45659, a high-severity remote code execution (RCE) vulnerability in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalog. This action was taken due to confirmed evidence of active exploitation in the wild. The vulnerability, which carries a CVSS score of 8.8, allows an authenticated attacker with low-level permissions to execute arbitrary code on a target server. In response, CISA has issued a Binding Operational Directive (BOD) requiring all Federal Civilian Executive Branch (FCEB) agencies to apply the necessary security updates by July 4, 2026. Given SharePoint's widespread use for data storage and collaboration, this vulnerability presents a significant and immediate threat to both public and private sector organizations.


Vulnerability Details

The vulnerability, identified as CVE-2026-45659, is a remote code execution flaw resulting from the insecure deserialization of untrusted data within Microsoft SharePoint Server. An attacker must be authenticated to the target SharePoint site with at least Site Member permissions to exploit this flaw. This low privilege requirement makes the vulnerability particularly dangerous, as a compromise of any basic user account could lead to a full server takeover.

According to Microsoft, the attack complexity is low, meaning an adversary can achieve repeatable success without deep technical knowledge of the target environment. By sending a specially crafted request to a vulnerable SharePoint server, an attacker can trigger the deserialization of a malicious object, leading to code execution in the context of the SharePoint application pool process.

Affected Systems

The vulnerability affects the following Microsoft SharePoint Server versions:

  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016

Microsoft released out-of-band security updates in late May 2026 to address this issue.

Exploitation Status

As of July 1, 2026, CVE-2026-45659 is being actively exploited in the wild. CISA's inclusion of the vulnerability in the KEV catalog confirms these reports. While specific details about the threat actors or their objectives have not been publicly disclosed, the exploitation of SharePoint vulnerabilities is a common tactic for initial access, data exfiltration, and lateral movement, often as a precursor to ransomware deployment.

Impact Assessment

A successful exploit of CVE-2026-45659 could have a devastating impact on an organization. Attackers could gain complete control over the SharePoint server, allowing them to:

  • Access, modify, or exfiltrate all data stored on the platform, including sensitive documents, intellectual property, and personally identifiable information (PII).
  • Deploy malware, such as web shells or ransomware, onto the server.
  • Use the compromised server as a pivot point to move laterally within the corporate network.
  • Disrupt business operations by taking the SharePoint service offline.

Given that SharePoint often integrates with other critical business systems, the blast radius of a compromise can be extensive, leading to significant financial loss, reputational damage, and regulatory penalties.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type
Process Name
Value
w3wp.exe
Description
Monitor for suspicious child processes spawning from the SharePoint worker process, such as cmd.exe, powershell.exe, or rundll32.exe.
Type
Log Source
Value
SharePoint ULS Logs
Description
Hunt for anomalous log entries related to deserialization errors or unexpected object types.
Type
Network Traffic
Value
Outbound Connections
Description
Look for unusual outbound network connections from SharePoint servers to unknown IP addresses, especially over non-standard ports.
Type
File System
Value
Web Root Directories
Description
Monitor for the creation of unexpected files (e.g., .aspx, .php, .jsp) in SharePoint web directories, which could indicate web shell deployment.

Detection Methods

Security teams should implement the following detection strategies:

  1. Vulnerability Scanning: Use vulnerability management tools to scan for and identify all SharePoint servers missing the required security updates for CVE-2026-45659.
  2. Log Analysis: Ingest SharePoint ULS logs, Windows Event Logs, and web server logs into a SIEM. Create detection rules to alert on suspicious activity, such as the w3wp.exe process spawning command shells, as mentioned in the observables. This aligns with D3FEND's Process Analysis (D3-PA).
  3. Endpoint Detection and Response (EDR): Ensure EDR agents are deployed on all SharePoint servers. Use EDR to monitor process execution, file modifications, and network connections, providing high-fidelity alerts on post-exploitation activity.
  4. Network Traffic Analysis: Monitor network traffic to and from SharePoint servers for anomalies. This includes looking for connections to known malicious IP addresses or unusual data transfer patterns, in line with D3FEND's Network Traffic Analysis (D3-NTA).

Remediation Steps

Due to active exploitation, immediate action is required.

  1. Patch Immediately: The primary remediation is to apply the security updates released by Microsoft in May 2026. Prioritize patching internet-facing SharePoint servers first, followed by internal servers.
  2. Verify Patch Installation: After deployment, confirm that the patches have been successfully installed on all affected assets.
  3. Assume Compromise: For any unpatched systems, especially those exposed to the internet, security teams should assume they may be compromised and initiate threat hunting activities to search for signs of malicious activity.
  4. Harden Configurations: As a general best practice, review and harden SharePoint server configurations. This includes implementing the principle of least privilege for service accounts and restricting network access to the server, a D3FEND Application Hardening (D3-AH) technique.

Timeline of Events

1
May 31, 2026
Microsoft releases out-of-band security updates to patch CVE-2026-45659.
2
July 1, 2026
CISA adds CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog.
3
July 2, 2026
This article was published
4
July 4, 2026
Deadline for U.S. Federal Civilian Executive Branch agencies to apply the patch for CVE-2026-45659.

MITRE ATT&CK Mitigations

Applying the security patches provided by Microsoft is the most critical step to remediate this vulnerability.

Mapped D3FEND Techniques:

Audit

M1047enterprise

Implement comprehensive logging and auditing for SharePoint servers to detect signs of exploitation and post-compromise activity.

Mapped D3FEND Techniques:

Restrict access to the SharePoint server's management interfaces and services to only authorized personnel and systems.

Mapped D3FEND Techniques:

Employ security solutions that can detect and block exploitation techniques, such as those targeting deserialization flaws.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

Immediately prioritize the deployment of the May 2026 out-of-band security update for Microsoft SharePoint Server across all affected assets. Due to the 'critical' severity and active exploitation of CVE-2026-45659, a risk-based approach should be taken. Internet-facing SharePoint servers must be patched first, ideally within 24 hours, followed by internal production servers within 72 hours. Use automated patch management systems to ensure rapid and consistent deployment. Before rolling out to production, test the patch in a staging environment to identify any potential operational conflicts. After deployment, run authenticated vulnerability scans to verify that the patch has been successfully applied and that no systems were missed. This countermeasure is the definitive method to eliminate the vulnerability and prevent initial exploitation.

Deploy an Endpoint Detection and Response (EDR) solution on all SharePoint servers to perform continuous process analysis. Specifically, configure detection rules to monitor the SharePoint worker process (w3wp.exe). Create high-severity alerts for any instance where w3wp.exe spawns suspicious child processes, such as command shells (cmd.exe, powershell.exe) or scripting engines (cscript.exe, wscript.exe). Since legitimate SharePoint operations should not trigger such behavior, these events are high-confidence indicators of compromise. Establishing a baseline of normal process activity for your SharePoint environment is crucial for reducing false positives. This technique provides a critical detection layer for post-exploitation activity, catching the attacker immediately after they leverage CVE-2026-45659 to execute code.

Implement network segmentation to strictly control access to SharePoint servers. Place SharePoint servers in a dedicated network zone with restrictive firewall rules. Egress filtering should be applied to block all outbound traffic from SharePoint servers by default, only allowing connections to specific, required internal and external services (e.g., database servers, domain controllers, mail servers). This helps contain the impact of a compromise by preventing the attacker from easily pivoting to other parts of the network or establishing a command-and-control channel. For internet-facing SharePoint servers, use a Web Application Firewall (WAF) to inspect incoming traffic for malicious patterns that may indicate exploitation attempts. This serves as a critical compensating control if patching is delayed.

Timeline of Events

1
May 31, 2026

Microsoft releases out-of-band security updates to patch CVE-2026-45659.

2
July 1, 2026

CISA adds CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog.

3
July 4, 2026

Deadline for U.S. Federal Civilian Executive Branch agencies to apply the patch for CVE-2026-45659.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

CVE-2026-45659SharePointRCEKEVCISADeserializationMicrosoft

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.