CISA Warns Microsoft SharePoint Server RCE Vulnerability Is Being Exploited
CISA has warned that attackers are exploiting a Microsoft SharePoint Server remote code execution vulnerability tracked as CVE-2026-45659.
The agency added the flaw to its Known Exploited Vulnerabilities Catalog on July 1, 2026, giving U.S. federal civilian agencies until July 4, 2026, to apply vendor guidance and perform required triage.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Microsoft’s security advisory describes the issue as a deserialization of untrusted data vulnerability in Microsoft Office SharePoint. An authenticated attacker could exploit it over a network to execute code on a vulnerable SharePoint Server.
What CVE-2026-45659 affects
CVE-2026-45659 affects on-premises SharePoint Server products, not SharePoint Online. The risk mainly applies to organizations that host and manage their own SharePoint infrastructure.
The National Vulnerability Database lists the flaw as CVSS 8.8, high severity. Its vector shows network access, low attack complexity, low privileges, and no user interaction.
That combination makes the vulnerability serious for exposed enterprise environments. An attacker still needs valid access, but they do not need an administrator account or victim interaction to attempt exploitation.
| Product | Affected versions | Fixed build |
|---|---|---|
| SharePoint Enterprise Server 2016 | Versions before 16.0.5552.1002 | 16.0.5552.1002 |
| SharePoint Server 2019 | Versions before 16.0.10417.20128 | 16.0.10417.20128 |
| SharePoint Server Subscription Edition | Versions before 16.0.19725.20280 | 16.0.19725.20280 |
Why the SharePoint flaw is dangerous
The vulnerability comes from unsafe handling of serialized data. In simple terms, the server may process data in a way that lets an authorized attacker trigger code execution.
SharePoint servers often store sensitive documents, internal workflows, user information, and business records. Many deployments also connect to identity systems, email, document libraries, and internal applications.
If attackers gain code execution on a SharePoint Server, they may try to deploy web shells, steal data, capture credentials, move laterally, or create persistence for later access.
- The flaw affects on-premises SharePoint Server environments.
- Attackers need authentication, but only low privileges are required.
- No user interaction is required for exploitation.
- The technical impact can include confidentiality, integrity, and availability loss.
- CISA has confirmed active exploitation in real-world attacks.
CISA gives agencies a short remediation window
CISA’s KEV listing requires agencies to follow Microsoft’s mitigation instructions, comply with BOD 26-04, and apply forensic triage requirements where needed.
The deadline matters because KEV entries focus on vulnerabilities already used by attackers. For defenders, that means patching should move ahead of routine severity-based scheduling.
The July 4 deadline applies to U.S. federal civilian agencies, but private companies should treat it as a strong risk signal. Internet-facing SharePoint servers deserve immediate review.
| Timeline | Event |
|---|---|
| May 2026 | Microsoft published CVE-2026-45659 and released security updates. |
| July 1, 2026 | CISA added the vulnerability to the KEV catalog. |
| July 4, 2026 | Federal civilian agencies must complete required remediation actions. |
Microsoft updates are already available
Organizations should first identify every SharePoint Server instance and compare its build number with the fixed versions. Microsoft’s SharePoint updates page provides update history for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016.
Administrators should not assume internal SharePoint servers are safe. Systems that sit behind a VPN, reverse proxy, or corporate firewall can still face risk if attackers already have valid credentials.
Microsoft’s CVE page should remain the main vendor reference for patch guidance, affected products, and any later advisory changes.
What security teams should check now
Security teams should treat CVE-2026-45659 as both a patching issue and a compromise assessment issue. Active exploitation means some organizations may already have suspicious activity to investigate.
The NVD entry maps the weakness to CWE-502, deserialization of untrusted data. That class of flaw can be difficult to detect with simple perimeter rules because traffic may appear to come from an authenticated user.
Teams should review SharePoint logs, IIS logs, authentication events, endpoint telemetry, and outbound network activity from SharePoint servers. Unusual process execution from web server processes should receive urgent attention.
- Inventory all SharePoint Server 2016, 2019, and Subscription Edition deployments.
- Confirm whether each server has the May 2026 security update level or later.
- Check whether SharePoint is exposed to the internet or reachable from untrusted networks.
- Review recent login activity for low-privilege accounts with SharePoint access.
- Search for unexpected web shells, scripts, scheduled tasks, or new files in SharePoint directories.
- Inspect IIS logs for unusual authenticated requests and repeated error patterns.
- Follow risk-based remediation guidance when prioritizing exposed systems.
Why this matters for enterprises
SharePoint remains a valuable target because it combines user access, document storage, collaboration data, and enterprise trust relationships. Attackers often look for these systems because one compromise can open several paths into an organization.
Even though CVE-2026-45659 requires authentication, that requirement does not remove the threat. Stolen credentials, reused passwords, phishing, and compromised low-privilege accounts can give attackers the access they need.
Organizations should also review whether older SharePoint deployments still meet current business and security needs. Servers nearing end of support or missing regular update processes can quickly become high-value attack surfaces.
Recommended remediation steps
The priority is to patch affected SharePoint Server systems without delay. Teams should also verify the update status after installation, because a failed or incomplete patch can leave the server exposed.
Microsoft’s update history can help administrators confirm fixed builds across supported SharePoint Server versions.
After patching, organizations should perform a focused investigation for signs of exploitation. This matters because fixing the vulnerability does not automatically remove an attacker who already gained access.
| Action | Purpose |
|---|---|
| Apply SharePoint security updates | Remove the vulnerable code path from affected systems. |
| Verify fixed build numbers | Confirm patching succeeded across every server. |
| Review SharePoint and IIS logs | Look for exploitation attempts or post-exploitation activity. |
| Check for web shells and suspicious files | Find persistence mechanisms attackers may have planted. |
| Limit external exposure | Reduce the number of paths attackers can use to reach SharePoint. |
| Reset affected credentials if compromise is suspected | Reduce the risk of follow-on account abuse. |
FAQ
CVE-2026-45659 is a Microsoft SharePoint Server remote code execution vulnerability caused by deserialization of untrusted data. An authenticated attacker could exploit it over a network to execute code on a vulnerable server.
Yes. CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities Catalog on July 1, 2026, citing evidence of active exploitation.
The affected products include SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Administrators should compare installed builds with Microsoft’s fixed versions.
The vulnerability applies to on-premises Microsoft SharePoint Server products. The available advisories focus on SharePoint Server, not SharePoint Online.
Organizations should patch affected SharePoint Server deployments, verify fixed build numbers, review SharePoint and IIS logs, check for web shells or unusual process activity, and reduce unnecessary internet exposure.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages