PROBABLYPWNED
VulnerabilitiesJuly 3, 20263 min read

SharePoint RCE Under Active Exploitation, CISA Deadline July 4

CVE-2026-45659 lets authenticated attackers with basic Site Member permissions execute arbitrary code on SharePoint servers. CISA added it to KEV after confirming active exploitation.

Marcus Chen

CISA added a Microsoft SharePoint deserialization vulnerability to its Known Exploited Vulnerabilities catalog on July 1, giving federal agencies until July 4 to patch—a holiday weekend deadline that underscores the urgency. Active exploitation is already underway, though specifics about the attackers, their methods, and objectives remain unknown.

CVE-2026-45659 carries a CVSS score of 8.8. The flaw stems from unsafe deserialization of untrusted data: a SharePoint endpoint accepts crafted serialized input and rebuilds it into objects without validating the object types. Any authenticated attacker with minimum Site Member permissions—not admin, not even elevated privileges—can leverage it to execute arbitrary code on the SharePoint server.

Affected Versions

The vulnerability impacts:

  • SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Enterprise Server 2016

Microsoft shipped patches as part of its May 2026 security updates. If you haven't applied them, your SharePoint environment is exposed.

Why This Matters

SharePoint's role as a collaboration backbone for enterprises makes it a high-value target. Attackers who achieve code execution on SharePoint servers gain access to sensitive documents, internal communications, and potentially lateral movement paths into connected systems. The low privilege requirement—just basic site membership—dramatically expands the pool of accounts that could be weaponized.

Microsoft's own advisory rated exploitation as "Less Likely," but the CISA KEV addition means that assessment was wrong. Real-world abuse has been documented, and the vulnerability is now in the hands of threat actors who've demonstrated they can exploit it.

This follows a pattern of SharePoint vulnerabilities becoming active targets. We covered critical Adobe ColdFusion flaws reaching CVSS 10.0 earlier this week as part of a broader enterprise software campaign, and SharePoint's deserialization history makes it a repeat offender—attackers know the codebase and exploitation techniques transfer across flaws.

Technical Details

The attack vector is network-based with low attack complexity. Authentication is required but no user interaction is necessary—an authenticated attacker can exploit the vulnerability directly without phishing or social engineering additional victims.

CISA's description is direct: "Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability which allows an authorized attacker to execute code over a network."

Proof-of-concept code availability wasn't disclosed in the KEV listing, but the short deadline and active exploitation status suggest working exploits exist in the wild.

Recommended Actions

  1. Apply May 2026 patches immediately - This is the only complete fix
  2. Review Site Member assignments - Audit who has membership access and whether they still need it
  3. Monitor for suspicious activity - Unusual file uploads, new workflows, or unexpected server processes could indicate exploitation
  4. Segment SharePoint infrastructure - Limit what attackers can reach even if they achieve initial code execution
  5. Enable enhanced logging - Windows event logs and SharePoint audit logs can help identify exploitation attempts

The July 4 federal deadline isn't arbitrary—it reflects CISA's assessment that attackers are moving fast. Private sector organizations should treat this with the same urgency. A holiday weekend with skeleton IT staff is exactly when attackers prefer to strike.

Related Articles