CISA has added Microsoft SharePoint Server CVE-2026-45659 to its Known Exploited Vulnerabilities catalog, turning a May patch item into a July exploitation-driven priority for on-premises SharePoint teams.[1] The bug is a deserialization remote code execution flaw in Microsoft Office SharePoint that lets an authorized attacker execute code over the network.[2]
The timing matters. CISA’s catalog version `2026.07.01` lists the SharePoint entry with a July 1 addition date and a July 4 remediation due date for covered federal environments.[1] Microsoft’s advisory data originally marked the issue as not publicly disclosed and not exploited at release time, but the KEV listing means defenders should treat vulnerable exposed servers as active-risk assets rather than routine backlog patches.[3]
NVD rates CVE-2026-45659 as CVSS 8.8 High with network attack vector, low attack complexity, low privileges required, and no user interaction. The weakness is CWE-502, deserialization of untrusted data.[2] In plain terms, this is not an anonymous internet worm by the published scoring, but any attacker who can obtain low-level SharePoint access may be able to turn that access into code execution on the server.
What SharePoint admins should check now
The affected on-premises product lines are SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.[2] NVD’s current affected-version data lists builds below 16.0.5552.1002 for Enterprise Server 2016, below 16.0.10417.20128 for SharePoint Server 2019, and below 16.0.19725.20280 for Subscription Edition.[2] SharePoint Online is not the same on-premises server surface; the practical concern here is self-hosted SharePoint farms, especially those reachable from the internet or broad partner networks.
Start with inventory instead of assuming patch coverage. Confirm each farm’s product line and build, then compare it with the fixed thresholds above and Microsoft’s Security Update Guide entry.[3] If SharePoint is externally reachable, place those systems first. If it is internal-only, still review who has Site Member-level access, because the vulnerability requires authentication but not elevated administrator privileges according to Microsoft’s description summarized by security reporting.[4]
For quick triage, review recent SharePoint authentication activity, newly created or modified site members, unexpected application pool or web service behavior, and suspicious child processes from SharePoint worker processes. Also check for unusual uploads, scripted requests to SharePoint endpoints, recent permission changes, and outbound connections from SharePoint servers. CISA’s required action also points defenders toward vendor mitigations, exposure evaluation, and forensic triage expectations for KEV items.[1]
This is the same class of enterprise-server risk that has repeatedly made Microsoft collaboration platforms attractive targets: attackers need one foothold, then they look for a way to convert it into server-side execution or credential access. howtofix.guide has previously covered SharePoint abuse in a UN SharePoint intrusion story, Microsoft server exploitation in an Exchange OWA XSS exploitation alert, and recent Microsoft-account attack pressure in the Azure CLI password-spray campaign.
Organizations that cannot patch immediately should at minimum reduce exposure, restrict SharePoint access to trusted networks, audit low-privilege site membership, and watch for post-authentication activity that does not match normal collaboration workflows. The safer path is to apply the relevant Microsoft update, verify the build on every server in the farm, and keep the farm under closer monitoring through the KEV deadline window.
References
- CISA Known Exploited Vulnerabilities Catalog, CVE-2026-45659 entry, catalog version 2026.07.01.
- NVD, “CVE-2026-45659 Detail,” updated July 1, 2026.
- Microsoft Security Response Center, “CVE-2026-45659: Microsoft SharePoint Remote Code Execution Vulnerability.”
- The Hacker News, “Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions,” May 26, 2026.
Leave a Comment