vulnerability

SharePoint CVE-2026-45659 active exploitation puts on-prem servers on urgent patch path

Lucas OliveiraLucas OliveiraResearch
July 3, 2026·8 min read
SharePoint CVE-2026-45659 active exploitation puts on-prem servers on urgent patch path

Microsoft SharePoint Server is back in the active-exploitation lane. CISA has added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog after evidence that attackers are exploiting the flaw in the wild.

The bug is a high-severity remote code execution issue in on-premises SharePoint Server. NVD describes it as deserialization of untrusted data in Microsoft Office SharePoint that allows an authorized attacker to execute code over the network. Microsoft assigns the vulnerability a CVSS 3.1 score of 8.8, with low attack complexity, network reachability, no user interaction, and high confidentiality, integrity, and availability impact.

This is not a "panic because SharePoint exists" story. It is a focused operational warning: if an on-prem SharePoint server is exposed, reachable by broad internal populations, or used as a collaboration hub for sensitive documents and workflows, defenders should treat CVE-2026-45659 as both a patching priority and an incident response trigger.

What CVE-2026-45659 is

CVE-2026-45659 is a deserialization flaw affecting Microsoft SharePoint Server. In plain language, the vulnerable code path can process attacker-controlled serialized data in a way that leads to code execution on the server.

The important constraint is authentication. This is not described as a fully unauthenticated internet bug. Microsoft says an authenticated attacker can trigger the flaw, and reporting on the advisory describes the minimum privilege level as Site Member permissions. That still leaves real risk in enterprise environments because SharePoint commonly has many legitimate users, many external collaboration paths, and many lower-privilege accounts that may already be exposed through phishing, password reuse, session theft, or identity compromise.

Affected products include:

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server Subscription Edition

NVD lists fixed build boundaries for affected SharePoint Server versions, and CISA's KEV entry gives federal civilian agencies a July 4, 2026 deadline to apply vendor mitigations or discontinue use where mitigations are unavailable.

Why an authenticated RCE still matters

It is tempting to downgrade the risk because exploitation requires an authenticated user. That is the wrong instinct.

In real intrusions, low-privilege accounts are not rare. Attackers routinely obtain them through phishing, stolen browser sessions, OAuth abuse, password spraying, infostealer logs, help desk manipulation, and compromised third-party accounts. Once a SharePoint account exists, a server-side code execution bug can turn an ordinary collaboration identity into a foothold on infrastructure that stores documents, workflows, application integrations, and internal trust relationships.

That is why this vulnerability deserves more attention than a normal monthly patch line item. A low-privilege authenticated bug can become high-impact when the application sits in the center of business operations.

SharePoint also has a long operational memory inside enterprises. Many deployments are old, customized, integrated with line-of-business systems, or treated as "internal enough" to receive slower patching. That combination gives attackers room: a vulnerability with active exploitation, broad enterprise reach, and potentially inconsistent patch discipline.

The exploitation signal

CISA added CVE-2026-45659 to the KEV catalog on July 1, 2026. That matters because KEV is not just a generic vulnerability list. It is CISA's catalog for flaws with evidence of active exploitation.

The public details are still limited. The available reporting does not identify a single actor, exploitation method, or final objective. But the lack of public exploit detail should not be mistaken for low risk. For defenders, the actionable fact is that exploitation has been confirmed strongly enough for KEV inclusion, and the patch deadline is short.

The timing is also uncomfortable. SharePoint servers have repeatedly appeared in ransomware and intrusion tradecraft because they combine web exposure, document access, authentication flows, and server-side extensibility. A current RCE in that class of product should be reviewed with the assumption that exploitation may be used for initial access, persistence, staging, data access, or movement into adjacent systems.

What defenders should do now

1. Inventory SharePoint exposure

Start with the boring question that decides the urgency: where are the SharePoint servers?

Defenders should identify every on-prem SharePoint instance, including disaster recovery systems, old farms, test environments, partner-facing portals, and servers behind reverse proxies. Confirm whether each server is reachable from the internet, reachable through VPN, exposed to broad internal networks, or limited to tightly controlled administrative paths.

This matters because patching only the obvious production farm leaves a familiar gap: forgotten collaboration servers often have weaker monitoring and older builds.

2. Patch to fixed builds

Apply Microsoft's SharePoint Server updates for affected versions. This should cover SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition according to the relevant build track.

For high-availability farms, verify that all nodes are updated. Do not patch only the active or most visible server. Attackers do not care which node is supposed to be primary during normal operations.

If a system cannot be patched immediately, reduce exposure while the change window is prepared. Restrict access, enforce VPN or network controls where appropriate, and remove unnecessary external reachability. These controls reduce opportunity, but they should not become a substitute for patching.

3. Review activity before the patch

Because CVE-2026-45659 is already in KEV, the right question is not only "are we patched now?" It is also "what happened before we patched?"

Review SharePoint, IIS, authentication, and endpoint telemetry for suspicious activity around the exploitation window. The exact indicators may vary, but useful hunting themes include:

  • unexpected authenticated requests from unusual users, geographies, hosts, or service accounts
  • errors or request patterns involving serialized payloads or unusual SharePoint endpoints
  • new or modified files in SharePoint web paths
  • web shell-like behavior, including small scripts or unfamiliar ASPX files
  • unexpected PowerShell, command shell, script host, or LOLBin execution from SharePoint worker processes
  • newly created users, groups, privileges, scheduled tasks, services, or persistence paths
  • outbound connections from SharePoint servers to infrastructure they do not normally contact

That review should include both infrastructure logs and identity signals. If the attacker needs a low-privilege account, then compromised identity may be part of the story.

4. Treat suspicious signs as compromise, not just vulnerability management

If telemetry suggests exploitation, shift from patch management to incident response. A vulnerable SharePoint server can become a staging point for credential access, data theft, lateral movement, or ransomware deployment.

Contain the server if needed, preserve logs, collect forensic data, and review connected systems. SharePoint often has access to SQL databases, file stores, service accounts, document libraries, email integrations, and workflow automation. Those relationships can extend the blast radius beyond the web server itself.

Credential review is especially important. Check whether service accounts, application pool identities, database credentials, or privileged administrative accounts were exposed or abused. Rotate credentials based on evidence and privilege, not on optimism.

Questions security teams should answer

For a fast triage meeting, these are the questions that matter most:

  • Which on-prem SharePoint servers do we run, and which versions/builds are deployed?
  • Are any of them internet-facing, partner-facing, or reachable from broad internal networks?
  • Were affected systems patched before or after CISA added CVE-2026-45659 to KEV?
  • Which users have Site Member permissions or equivalent access to sensitive SharePoint areas?
  • Have there been unusual login patterns, unexpected SharePoint requests, or new files on the servers?
  • Do SharePoint worker processes show unusual child processes or outbound connections?
  • Which service accounts, database connections, and integrations could be exposed if the server was compromised?

The answer set decides whether this is a normal expedited patch or a deeper compromise assessment.

The bigger lesson

CVE-2026-45659 is a reminder that "authenticated" does not mean "safe" when the target is a central enterprise application. SharePoint sits close to documents, users, workflow, identity, and internal trust. Once active exploitation is confirmed, the risk moves from theoretical to operational.

For many teams, the fix path is straightforward: patch affected servers, reduce unnecessary exposure, and validate builds. The harder but more important path is confirming whether attackers touched the environment before the patch landed.

If your SharePoint estate was exposed or slow to update, do not close this as a vulnerability ticket alone. Close it as a security review: patch status, access scope, telemetry, identity signals, and compromise evidence all need to line up.

What is CVE-2026-45659?

CVE-2026-45659 is a Microsoft SharePoint Server remote code execution vulnerability caused by deserialization of untrusted data. NVD says an authorized attacker can execute code over a network.

Is CVE-2026-45659 being exploited?

Yes. CISA added the flaw to its Known Exploited Vulnerabilities catalog on July 1, 2026, citing active exploitation.

Does the attacker need authentication?

Yes. The public advisory information describes this as an authenticated attack path requiring low privileges, but not administrator privileges.

Which SharePoint versions are affected?

NVD lists affected configurations for Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition below fixed build levels.

What should defenders do first?

Patch affected on-prem SharePoint servers, identify exposed instances, and review logs for suspicious authenticated activity, web shell behavior, unusual child processes, new persistence, and post-exploitation movement.

References

  1. CVE-2026-45659 Detail
  2. Known Exploited Vulnerabilities Catalog: CVE-2026-45659
  3. Microsoft Security Update Guide: CVE-2026-45659
  4. SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation
  5. CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability

Written by

Lucas Oliveira

Research

A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.