CISA Flags a SharePoint RCE, CVE-2026-45659, as Actively Exploited, and Any Logged-In User Is Enough
Cybersecurity

CISA Flags a SharePoint RCE, CVE-2026-45659, as Actively Exploited, and Any Logged-In User Is Enough

A deserialization bug in on-prem SharePoint has moved from patched to actively exploited, and it only needs an authenticated account with basic Site Member rights. Federal agencies have until Saturday to close it.

PublishedJuly 2, 2026
Read time6 min read
Share

Another SharePoint Flaw Crosses From Patched to Exploited

On July 1, 2026, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog, and the timing tells the whole story. Microsoft shipped the fix back on May 21, so this is not a case of defenders being caught without a patch. It is a case of the six-week window between disclosure and exploitation closing exactly as we have come to expect for any internet-facing Microsoft collaboration server. The flaw is a remote code execution bug in on-premises SharePoint, rated CVSS 8.8, and CISA confirmed it is being used in real attacks rather than merely being theoretically dangerous.

We keep writing versions of this paragraph because the pattern does not change. On-prem SharePoint sits at the intersection of high value and high exposure: it holds documents, credentials, and workflow logic, and it is frequently published to the open internet for remote staff. That combination makes it one of the most reliably targeted enterprise products in the Microsoft estate. The KEV listing is not a warning about what might happen. It is a notice that the clock defenders were watching has already run out.

What CVE-2026-45659 Actually Does

The vulnerability is a classic deserialization of untrusted data weakness. SharePoint accepts serialized objects, reconstructs them without adequate validation, and an attacker who controls that input can steer the process into executing arbitrary code. As CISA put it in its advisory, the flaw allows an authorized attacker to execute code over a network. Deserialization bugs have haunted the .NET ecosystem for years, and SharePoint's long tail of legacy components gives them a wide surface to land on.

The affected products are SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Cloud-hosted SharePoint Online is not the concern here: this is squarely an on-prem problem, which means it lands on the shoulders of the organizations that still run their own farms for compliance, data residency, or integration reasons. Those are often the same organizations with the slowest patch cycles, because change control on a production SharePoint farm is genuinely painful. That friction is precisely what attackers are counting on.

The Low Privilege Bar Is the Real Problem

What makes this flaw dangerous is not just that it yields code execution, but how little an attacker needs to trigger it. Microsoft was blunt in its guidance: "Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges." The exploit needs an account with only Site Member permissions, the kind of low-privilege access that is handed out routinely to contractors, partners, and rank-and-file employees. There is no user interaction required and the attack complexity is low.

In practice, that collapses the distance between a single compromised set of credentials and full server compromise. A phished contractor password, a reused login found in a credential dump, or an over-provisioned service account is all it takes to convert read access into code execution. We have argued before that authenticated-only flaws are often treated as second-tier by patch teams, and this is the counterexample that should end that habit. When the authentication bar is this low, the distinction between authenticated and unauthenticated is mostly academic to a motivated intruder.

SharePoint's Ransomware Track Record Is the Warning

History here is not reassuring. Since 2021, eleven SharePoint vulnerabilities have been exploited in the wild, and seven of them have been tied to ransomware operations. The threat cluster tracked as Storm-2603 has been abusing SharePoint flaws since mid-2025, using them as an entry point to deploy Warlock ransomware inside victim networks. A June 2026 incident even revealed two unrelated threat actors operating inside the same compromised environment at once, a sign of just how quickly these servers get picked over once a working technique circulates.

That lineage matters because it shapes the likely blast radius of CVE-2026-45659. SharePoint is rarely the final target. It is the beachhead: a foothold from which attackers harvest credentials, move laterally into file shares and identity systems, and stage encryption. Treating this as an isolated web app bug underestimates it. The realistic scenario is a chain that begins with a single logged-in session and ends with domain-wide extortion, and the groups with the tooling to run that chain are already active in this exact product.

Ten Thousand Servers and a Three Day Clock

The scale of exposure is not trivial. Shadowserver currently tracks more than 10,000 SharePoint servers reachable from the open internet, and every one of them running an unpatched build is a candidate. CISA has ordered Federal Civilian Executive Branch agencies to remediate by Saturday, July 4, under Binding Operational Directive 26-04, a notably compressed timeline that reflects how seriously the agency is treating active exploitation. When the government gives itself a three-day deadline, private enterprises should read that as the floor, not the ceiling, for their own urgency.

For most enterprises the fix itself is not the hard part, because Microsoft has had a patch available since May. The hard part is knowing where every SharePoint farm lives, including the forgotten departmental instance nobody has owned in three years. Those orphaned servers are exactly the ones that stay exposed and unpatched, and they are the ones attackers find first through mass internet scanning. Asset inventory, not patch engineering, is the constraint that will determine who gets hit.

What Security Leaders Should Do Now

The immediate action is straightforward: identify every on-prem SharePoint instance, confirm the May 2026 update is applied, and prioritize anything internet-facing. Because the flaw requires only a low-privilege account, patching should be paired with a credential hygiene sweep: rotate exposed service accounts, enforce multi-factor authentication on all SharePoint access, and audit who actually holds Site Member and higher permissions. Least privilege is not a compliance checkbox here, it is a direct mitigation against the exact precondition this exploit needs.

Beyond the patch, assume that any server exposed since late June may already have been touched, and hunt accordingly. Look for anomalous process creation from SharePoint worker processes, unexpected web shells in layout directories, and new local accounts or scheduled tasks. Given the ransomware groups circling this product, the goal is not just to close the door but to confirm nobody walked through it first. In our view, treating a KEV listing as an incident-response trigger, and not merely a patch reminder, is the discipline that separates the organizations that recover quickly from the ones that make headlines.

Tagged#news#security#cybersecurity#vulnerability#rce#cisa#zero-day#ransomware#microsoft#sharepoint