CISA Warns Microsoft SharePoint Server RCE Vulnerability Is Being Exploited


CISA has warned that attackers are exploiting a Microsoft SharePoint Server remote code execution vulnerability tracked as CVE-2026-45659.

The agency added the flaw to its Known Exploited Vulnerabilities Catalog on July 1, 2026, giving U.S. federal civilian agencies until July 4, 2026, to apply vendor guidance and perform required triage.

Microsoft’s security advisory describes the issue as a deserialization of untrusted data vulnerability in Microsoft Office SharePoint. An authenticated attacker could exploit it over a network to execute code on a vulnerable SharePoint Server.

What CVE-2026-45659 affects

CVE-2026-45659 affects on-premises SharePoint Server products, not SharePoint Online. The risk mainly applies to organizations that host and manage their own SharePoint infrastructure.

The National Vulnerability Database lists the flaw as CVSS 8.8, high severity. Its vector shows network access, low attack complexity, low privileges, and no user interaction.

That combination makes the vulnerability serious for exposed enterprise environments. An attacker still needs valid access, but they do not need an administrator account or victim interaction to attempt exploitation.

ProductAffected versionsFixed build
SharePoint Enterprise Server 2016Versions before 16.0.5552.100216.0.5552.1002
SharePoint Server 2019Versions before 16.0.10417.2012816.0.10417.20128
SharePoint Server Subscription EditionVersions before 16.0.19725.2028016.0.19725.20280

Why the SharePoint flaw is dangerous

The vulnerability comes from unsafe handling of serialized data. In simple terms, the server may process data in a way that lets an authorized attacker trigger code execution.

SharePoint servers often store sensitive documents, internal workflows, user information, and business records. Many deployments also connect to identity systems, email, document libraries, and internal applications.

If attackers gain code execution on a SharePoint Server, they may try to deploy web shells, steal data, capture credentials, move laterally, or create persistence for later access.

  • The flaw affects on-premises SharePoint Server environments.
  • Attackers need authentication, but only low privileges are required.
  • No user interaction is required for exploitation.
  • The technical impact can include confidentiality, integrity, and availability loss.
  • CISA has confirmed active exploitation in real-world attacks.

CISA gives agencies a short remediation window

CISA’s KEV listing requires agencies to follow Microsoft’s mitigation instructions, comply with BOD 26-04, and apply forensic triage requirements where needed.

The deadline matters because KEV entries focus on vulnerabilities already used by attackers. For defenders, that means patching should move ahead of routine severity-based scheduling.

The July 4 deadline applies to U.S. federal civilian agencies, but private companies should treat it as a strong risk signal. Internet-facing SharePoint servers deserve immediate review.

TimelineEvent
May 2026Microsoft published CVE-2026-45659 and released security updates.
July 1, 2026CISA added the vulnerability to the KEV catalog.
July 4, 2026Federal civilian agencies must complete required remediation actions.

Microsoft updates are already available

Organizations should first identify every SharePoint Server instance and compare its build number with the fixed versions. Microsoft’s SharePoint updates page provides update history for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016.

Administrators should not assume internal SharePoint servers are safe. Systems that sit behind a VPN, reverse proxy, or corporate firewall can still face risk if attackers already have valid credentials.

Microsoft’s CVE page should remain the main vendor reference for patch guidance, affected products, and any later advisory changes.

What security teams should check now

Security teams should treat CVE-2026-45659 as both a patching issue and a compromise assessment issue. Active exploitation means some organizations may already have suspicious activity to investigate.

The NVD entry maps the weakness to CWE-502, deserialization of untrusted data. That class of flaw can be difficult to detect with simple perimeter rules because traffic may appear to come from an authenticated user.

Teams should review SharePoint logs, IIS logs, authentication events, endpoint telemetry, and outbound network activity from SharePoint servers. Unusual process execution from web server processes should receive urgent attention.

  • Inventory all SharePoint Server 2016, 2019, and Subscription Edition deployments.
  • Confirm whether each server has the May 2026 security update level or later.
  • Check whether SharePoint is exposed to the internet or reachable from untrusted networks.
  • Review recent login activity for low-privilege accounts with SharePoint access.
  • Search for unexpected web shells, scripts, scheduled tasks, or new files in SharePoint directories.
  • Inspect IIS logs for unusual authenticated requests and repeated error patterns.
  • Follow risk-based remediation guidance when prioritizing exposed systems.

Why this matters for enterprises

SharePoint remains a valuable target because it combines user access, document storage, collaboration data, and enterprise trust relationships. Attackers often look for these systems because one compromise can open several paths into an organization.

Even though CVE-2026-45659 requires authentication, that requirement does not remove the threat. Stolen credentials, reused passwords, phishing, and compromised low-privilege accounts can give attackers the access they need.

Organizations should also review whether older SharePoint deployments still meet current business and security needs. Servers nearing end of support or missing regular update processes can quickly become high-value attack surfaces.

The priority is to patch affected SharePoint Server systems without delay. Teams should also verify the update status after installation, because a failed or incomplete patch can leave the server exposed.

Microsoft’s update history can help administrators confirm fixed builds across supported SharePoint Server versions.

After patching, organizations should perform a focused investigation for signs of exploitation. This matters because fixing the vulnerability does not automatically remove an attacker who already gained access.

ActionPurpose
Apply SharePoint security updatesRemove the vulnerable code path from affected systems.
Verify fixed build numbersConfirm patching succeeded across every server.
Review SharePoint and IIS logsLook for exploitation attempts or post-exploitation activity.
Check for web shells and suspicious filesFind persistence mechanisms attackers may have planted.
Limit external exposureReduce the number of paths attackers can use to reach SharePoint.
Reset affected credentials if compromise is suspectedReduce the risk of follow-on account abuse.

FAQ

What is CVE-2026-45659?

CVE-2026-45659 is a Microsoft SharePoint Server remote code execution vulnerability caused by deserialization of untrusted data. An authenticated attacker could exploit it over a network to execute code on a vulnerable server.

Is CVE-2026-45659 being actively exploited?

Yes. CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities Catalog on July 1, 2026, citing evidence of active exploitation.

Which SharePoint versions are affected by CVE-2026-45659?

The affected products include SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Administrators should compare installed builds with Microsoft’s fixed versions.

Does CVE-2026-45659 affect SharePoint Online?

The vulnerability applies to on-premises Microsoft SharePoint Server products. The available advisories focus on SharePoint Server, not SharePoint Online.

What should organizations do about CVE-2026-45659?

Organizations should patch affected SharePoint Server deployments, verify fixed build numbers, review SharePoint and IIS logs, check for web shells or unusual process activity, and reduce unnecessary internet exposure.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages