DEV Community

Etairos.ai
Etairos.ai

Posted on • Originally published at threat-intelligence.redeyesecurity.com

SharePoint RCE CVE-2026-45659 Hits CISA KEV as Attackers Exploit It in the Wild

TL;DR

  • what: CISA added SharePoint Server RCE CVE-2026-45659 to its KEV catalog after confirming active exploitation of a deserialization-of-untrusted-data flaw.
  • impact: Any authenticated user with just Site Member permissions can execute code remotely on the SharePoint Server, giving attackers a low-bar foothold on on-prem collaboration infrastructure.
  • fix: Apply Microsoft's May 2026 patch for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016; FCEB agencies must comply by July 4, 2026.
  • who: Any organization running on-premises SharePoint Server, especially internet-facing deployments with broad user membership.

CISA added Microsoft SharePoint Server flaw CVE-2026-45659 (CVSS 8.8) to its Known Exploited Vulnerabilities catalog on Wednesday, citing confirmed active exploitation. Federal Civilian Executive Branch agencies have until July 4, 2026 to patch. Everyone else running on-prem SharePoint should treat that deadline as their own.

The vulnerability is a remote code execution bug rooted in deserialization of untrusted data. Microsoft shipped the fix back in May 2026, but the KEV listing confirms attackers are now turning it against unpatched servers. If you deferred the May rollup, that window is closed.

Why the low privilege bar matters

Microsoft's advisory is blunt about the access requirement: any authenticated attacker can trigger this. No admin rights, no elevated privileges. A network-based attacker needs only Site Member permissions (PR:L) to execute code remotely on the SharePoint Server itself.

That is the detail IT managers should focus on. In most enterprises, Site Member is close to the default state for a large fraction of the workforce. Contractors, help-desk staff, and cross-team collaborators routinely hold it. Any one of those accounts, or a single set of phished credentials, becomes a path to code execution on a server that typically sits deep inside the network and holds sensitive documents.

⚠️ Microsoft's severity rating undersells the risk — Microsoft tagged CVE-2026-45659 as 'Exploitation Less Likely.' CISA's KEV addition proves that assessment wrong in practice. Do not use vendor exploitability scores to justify patch delays once a CVE lands on KEV.

Affected versions

The May 2026 update covers three supported editions. Confirm your build reflects the patched release before considering this closed.

  • SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Enterprise Server 2016

SharePoint remains a magnet for ransomware crews

The KEV listing lands against a backdrop of sustained targeting of on-prem SharePoint. Late last month Microsoft disclosed that a routine ransomware investigation uncovered two unrelated threat actors operating inside the same network at once, each deliberately working to complicate incident response and mask the true scope of the intrusion.

One cluster was attributed to Storm-2603, an actor that has deployed Warlock ransomware by exploiting known on-prem SharePoint flaws since mid-2025. In that case initial access was likely attempted through a separate bug, with the attacker probing for local file inclusion via requests for win.ini and web.config, evidence pointing to CVE-2025-11371 (CVSS 9.1) in Gladinet Triofox.

Post-access tradecraft is worth noting because it shows what follows an RCE foothold. Storm-2603 deployed Velociraptor to blend into trusted admin activity, opened multiple remote access channels through Cloudflare tunneling, Zoho Assist, and SSH configured via Visual Studio Code, and created new local and domain administrator accounts. A vulnerable driver, NSecKrnl.sys, was abused to tamper with endpoint protections and cut defender visibility.

Assume the intrusion is bigger than the first alert — Microsoft found a second, unrelated actor in the same environment using DLL side-loading and custom backdoors, and confirmed lateral movement into a second organization. As their IR team put it: isolated signals rarely tell the full story. Scope every SharePoint compromise beyond the initial host.

What to do now

  • Apply the May 2026 SharePoint update immediately if you have not; verify build numbers rather than trusting patch-management dashboards.
  • Treat the July 4 FCEB deadline as your own hard cutoff regardless of sector.
  • Audit Site Member and higher grants; strip standing access from accounts that do not need it and reduce your PR:L exploitation surface.
  • Hunt for the Storm-2603 markers: rogue local/domain admin accounts, Velociraptor, Cloudflare tunnels, Zoho Assist, SSH-over-VS-Code, and the NSecKrnl.sys driver.
  • Restrict internet exposure of SharePoint where possible and put it behind authentication proxies or VPN.
  • If you find one intruder, scope for a second and check adjacent organizations you trust or connect to.

The pattern here is familiar and getting worse: a mid-severity vendor rating, a quiet patch, then confirmed exploitation once defenders assume the risk is theoretical. On-prem SharePoint keeps proving to be high-value, network-adjacent, and under-patched. CVE-2026-45659 is your prompt to close that gap before a ransomware crew does it for you.


Originally published on RedEye Threat Intelligence.

Top comments (0)