SharePoint Under Fire: CISA Forces a July 4 Patch on CVE-2026-45659
Cybersecurity

SharePoint Under Fire: CISA Forces a July 4 Patch on CVE-2026-45659

CISA gave federal agencies three days to patch a SharePoint flaw that Microsoft rated 'exploitation less likely.' Two threat actors were already inside the same network, and one was staging Warlock ransomware.

PublishedJuly 7, 2026
Read time7 min read
Share

A Three-Day Clock No One Wanted Over a Holiday Weekend

On July 1, 2026, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog and handed Federal Civilian Executive Branch agencies one of the tightest deadlines it issues: patch by July 4. Under Binding Operational Directive 26-04, that is a three-day window, and it landed squarely on a holiday weekend when most security teams are running thin. The flaw is a high-severity remote code execution bug in on-premises Microsoft SharePoint Server, scored CVSS 8.8, rooted in the deserialization of untrusted data. In CISA's own words, the product 'contains a deserialization of untrusted data vulnerability which allows an authorized attacker to execute code over a network.'

We think the timing is the point worth sitting with. CISA does not add entries to the KEV catalog on suspicion; the listing is confirmation that exploitation is happening in real organizations right now. For CIOs and CISOs, a KEV entry with a compressed deadline is the closest thing to a fire alarm the federal government issues for software. If your agency answers to BOD 26-04, the deadline was mandatory. If it does not, the deadline still functions as free threat intelligence: the government has told you, in writing, that attackers are actively using this against production SharePoint deployments, and the clock started whether or not you were watching.

Microsoft Said 'Exploitation Less Likely.' Reality Disagreed.

Here is the uncomfortable part for anyone who prioritizes patches by vendor guidance alone. Microsoft shipped the fix in May 2026 and initially assessed CVE-2026-45659 as 'exploitation less likely.' By July, CISA had directly refuted that label with evidence of active in-the-wild attacks. This is not a knock on Microsoft's threat intelligence so much as a reminder of what these ratings actually are: probabilistic forecasts made at disclosure time, not durable promises about attacker behavior. A vulnerability rated unlikely to be exploited can and does flip to actively exploited within weeks, and the organizations that treated the May update as optional discovered that the middle of a long weekend is a poor time to learn otherwise.

Microsoft's technical justification for the 8.8 score is itself a warning. The company explained the vulnerability is dangerous 'because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.' Translated for the boardroom: this is not a delicate, one-shot exploit that demands a specialist. It is reliable, repeatable, and cheap to weaponize at scale. When a bug is both easy to trigger and consistent in outcome, it moves quickly from research curiosity to commodity tooling, which is precisely the trajectory we watched play out here between May disclosure and July exploitation.

Site Member Is All It Takes

The detail that should reshape your risk model is the privilege requirement. Exploitation does not need administrative rights or elevated access. An authenticated attacker with a minimum of Site Member permissions, the low-privilege PR:L level in CVSS terms, can leverage the flaw to execute code remotely on the SharePoint Server. Site Member is one of the most commonly granted roles in any collaboration environment. It is the permission you hand to contractors, to partners, to the intern who needs to upload documents. In many enterprises, thousands of accounts hold exactly this level of access, and every one of them is now a potential launch point for full server compromise.

This is why we keep telling teams that identity is the real attack surface, not just the network perimeter. If a single phished contractor credential with Site Member rights is enough to pivot to remote code execution on a server that often holds an organization's most sensitive documents, then password reuse, weak multi-factor coverage, and stale guest accounts stop being hygiene problems and become direct paths to ransomware. On-premises SharePoint tends to accumulate exactly this kind of permission sprawl over years of casual grants. The patch closes the RCE, but the underlying lesson is that low-privilege accounts deserve the same scrutiny you reserve for admins.

Storm-2603, Warlock, and Two Attackers in One Network

One set of attacks has been attributed to Storm-2603, a threat actor Microsoft has tracked deploying Warlock ransomware by exploiting known SharePoint vulnerabilities since mid-2025. This is not an opportunistic dabbler. Storm-2603's tradecraft in these incidents included using a separate critical flaw for initial access, deploying the Velociraptor forensic tool for their own ends, and establishing resilient remote access through Cloudflare tunneling, Zoho Assist, and SSH tunneled through Visual Studio Code. That is a mature playbook built for persistence and stealth, and it ends in encrypted file servers and a ransom demand rather than quiet espionage.

The most sobering finding came from Microsoft's incident responders, who discovered two unrelated threat actors operating simultaneously inside the same victim network. Microsoft noted that initial access was 'likely attempted through a separate vulnerability, with requests for files like win.ini and web.config, indicating probing for local file inclusion,' and that 'together, these overlapping activity streams enabled sustained access while masking the full scope of the intrusion.' The company's blunt conclusion is one every CISO should internalize: 'What may appear to be a single ransomware incident can quickly expand into something more complex, spanning organizations, blending tactics, and even involving multiple threat actors operating in parallel.'

What This Means for Enterprise SharePoint Owners

The affected products are the on-premises editions: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft's cloud-hosted SharePoint Online is not in scope, which sharpens a strategic point we have made before. The organizations most exposed here are the ones still running self-managed SharePoint on their own infrastructure, carrying the full patching and hardening burden themselves. If your business kept SharePoint on-premises for data residency, customization, or cost reasons, this incident is the invoice for that decision arriving in the form of a three-day emergency patch cycle over Independence Day weekend.

The immediate action is unambiguous: apply the May 2026 security updates now if you have not, because that update is the fix. But patching is table stakes. Assume compromise if you ran an unpatched server past May, and hunt accordingly. Audit every account holding Site Member or higher, revoke stale external access, and enforce strong multi-factor authentication on all SharePoint identities. Review server logs for the local file inclusion probing Microsoft described, and for the remote access tooling Storm-2603 favors. Given that responders found two actors coexisting, finding one intruder is not evidence you have found them all.

The Real Takeaway: Rebuild Your Patch Triage Around KEV

The through-line of this episode is that vendor severity labels and CVSS scores are inputs to your prioritization, not the decision itself. A flaw Microsoft called 'exploitation less likely' became a CISA-mandated emergency inside two months. The most reliable signal of what attackers are actually doing is not the disclosure-day forecast but the KEV catalog, which reflects observed reality. We would argue that any mature vulnerability management program should treat a KEV addition as a hard escalation trigger that overrides the normal monthly cadence, regardless of the original vendor rating attached to the CVE.

Practically, that means wiring the KEV feed directly into your ticketing and change-management systems so a new entry automatically opens a high-priority remediation task with a service-level clock attached. It means having a pre-approved emergency change process so a holiday-weekend deadline does not require improvisation. And it means accepting that the window between disclosure and exploitation is compressing. Storm-2603 has been mining SharePoint flaws since mid-2025, and they will mine the next one too. The teams that survive these cycles are the ones that patched on the vendor's timeline, not on the attacker's.

Tagged#news#security#cybersecurity#cisa#ransomware#cve#sharepoint#microsoft