SharePoint RCE Under Active Exploitation, CISA Deadline July 4
CVE-2026-45659 lets authenticated attackers with basic Site Member permissions execute arbitrary code on SharePoint servers. CISA added it to KEV after confirming active exploitation.
CISA added a Microsoft SharePoint deserialization vulnerability to its Known Exploited Vulnerabilities catalog on July 1, giving federal agencies until July 4 to patch—a holiday weekend deadline that underscores the urgency. Active exploitation is already underway, though specifics about the attackers, their methods, and objectives remain unknown.
CVE-2026-45659 carries a CVSS score of 8.8. The flaw stems from unsafe deserialization of untrusted data: a SharePoint endpoint accepts crafted serialized input and rebuilds it into objects without validating the object types. Any authenticated attacker with minimum Site Member permissions—not admin, not even elevated privileges—can leverage it to execute arbitrary code on the SharePoint server.
Affected Versions
The vulnerability impacts:
- SharePoint Server Subscription Edition
- SharePoint Server 2019
- SharePoint Enterprise Server 2016
Microsoft shipped patches as part of its May 2026 security updates. If you haven't applied them, your SharePoint environment is exposed.
Why This Matters
SharePoint's role as a collaboration backbone for enterprises makes it a high-value target. Attackers who achieve code execution on SharePoint servers gain access to sensitive documents, internal communications, and potentially lateral movement paths into connected systems. The low privilege requirement—just basic site membership—dramatically expands the pool of accounts that could be weaponized.
Microsoft's own advisory rated exploitation as "Less Likely," but the CISA KEV addition means that assessment was wrong. Real-world abuse has been documented, and the vulnerability is now in the hands of threat actors who've demonstrated they can exploit it.
This follows a pattern of SharePoint vulnerabilities becoming active targets. We covered critical Adobe ColdFusion flaws reaching CVSS 10.0 earlier this week as part of a broader enterprise software campaign, and SharePoint's deserialization history makes it a repeat offender—attackers know the codebase and exploitation techniques transfer across flaws.
Technical Details
The attack vector is network-based with low attack complexity. Authentication is required but no user interaction is necessary—an authenticated attacker can exploit the vulnerability directly without phishing or social engineering additional victims.
CISA's description is direct: "Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability which allows an authorized attacker to execute code over a network."
Proof-of-concept code availability wasn't disclosed in the KEV listing, but the short deadline and active exploitation status suggest working exploits exist in the wild.
Recommended Actions
- Apply May 2026 patches immediately - This is the only complete fix
- Review Site Member assignments - Audit who has membership access and whether they still need it
- Monitor for suspicious activity - Unusual file uploads, new workflows, or unexpected server processes could indicate exploitation
- Segment SharePoint infrastructure - Limit what attackers can reach even if they achieve initial code execution
- Enable enhanced logging - Windows event logs and SharePoint audit logs can help identify exploitation attempts
The July 4 federal deadline isn't arbitrary—it reflects CISA's assessment that attackers are moving fast. Private sector organizations should treat this with the same urgency. A holiday weekend with skeleton IT staff is exactly when attackers prefer to strike.
Related Articles
SharePoint RCE Flaw CVE-2026-20963 Under Active Exploitation
CISA added Microsoft SharePoint CVE-2026-20963 to the KEV catalog after confirming active exploitation. Federal agencies must patch by March 21.
Mar 19, 2026Exchange OWA Zero-Day CVE-2026-42897 Exploited — No Patch
Microsoft Exchange Server zero-day CVE-2026-42897 enables session hijacking via malicious emails. Active exploitation confirmed with no permanent fix available.
Jun 1, 2026Microsoft Patches 167 Flaws, SharePoint Zero-Day Under Attack
Microsoft's April 2026 Patch Tuesday fixes 167 vulnerabilities including CVE-2026-32201, an actively exploited SharePoint zero-day. Eight critical RCE flaws patched.
Apr 15, 2026SimpleHelp CVSS 10 Auth Bypass Hits CISA KEV After Malware Surge
CVE-2026-48558 lets attackers bypass OIDC auth and register as technicians. CISA added it to KEV June 29 after TaskWeaver and Djinn Stealer deployments.
Jun 30, 2026