SharePoint RCE CVE-2026-45659: Active Exploits

SharePoint RCE CVE-2026-45659

SharePoint RCE CVE-2026-45659 is now under active exploitation, and the federal patch deadline set by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is July 4 — tomorrow. The CVSS 8.8 deserialization flaw lets any authenticated user with nothing more than baseline Site Member permissions run code remotely on the server. Shadowserver currently counts more than 10,000 SharePoint servers exposed to the internet with unknown patch status, and Microsoft’s own advisory trail is part of the problem.

What Happened

CVE-2026-45659 is a deserialization-of-untrusted-data vulnerability affecting Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft rates it CVSS 8.8 and confirms that any authenticated attacker — no administrator or elevated privileges required — can trigger it over the network. A user with only Site Member permissions is sufficient to achieve remote code execution.

The fix already shipped in the May 2026 Patch Tuesday cycle: KB5002863 (Subscription Edition, build 16.0.19725.20280), KB5002870 (Server 2019, build 16.0.10417.20128), and KB5002868 (Server 2016, build 16.0.5552.1002). The problem is that CVE-2026-45659 was inadvertently omitted from Microsoft’s original May advisory text, so organizations tracking patches by CVE reference — rather than by installing every cumulative update regardless of listed CVEs — had no signal to prioritize it.

CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on July 1, 2026, confirming active exploitation and setting a Federal Civilian Executive Branch remediation deadline of July 4. Shadowserver’s internet-wide scan currently shows more than 10,000 SharePoint instances exposed online, with no visibility into how many have been secured against ongoing attacks.

Why It Matters

SharePoint is a default fixture in the vast majority of German Mittelstand IT environments, frequently running on-premises alongside Active Directory and Exchange, and just as frequently outside the patch-management spotlight reserved for internet-facing perimeter devices. The unusually low privilege bar — a standard internal Site Member account, not an administrator — means that a single phished or reused credential inside the organization is enough to reach full remote code execution on the SharePoint server, with everything that implies for lateral movement, document exfiltration, and further credential harvesting.

For NIS2-regulated entities, this incident is also a lesson about advisory completeness as a control gap in its own right. A vulnerability can be technically “patched” for weeks while remaining organizationally unpatched, simply because the fix wasn’t cross-referenced correctly at release. Patch-management processes that verify by CVE number rather than by cumulative update installation will miss cases exactly like this one.

What You Should Do Now

  1. Apply the correct cumulative update immediately: KB5002863 for Subscription Edition, KB5002870 for Server 2019, or KB5002868 for Server 2016, depending on your deployment.
  2. Verify your current build number against the patched builds (16.0.19725.20280 / 16.0.10417.20128 / 16.0.5552.1002) — do not rely on “May updates applied” as confirmation, since this CVE was missing from that month’s advisory.
  3. If you cannot patch within 24 hours, review and tighten Site Member group membership as an interim compensating control, since the exploit path requires only that permission level.
  4. Monitor SharePoint application pool (w3wp.exe) processes for unexpected child processes such as cmd.exe or powershell.exe, and review IIS/ULS logs for anomalous deserialization errors or crash patterns around the timeframe of the KEV addition.

If your organization tracks patch compliance by CVE list rather than by cumulative update version, treat that gap itself as a finding — this is unlikely to be the last vulnerability quietly omitted from an official advisory.

DIESEC Perspective

This is the same underlying pattern we’ve flagged in Splunk, Veeam, and PTC Windchill incidents this year: a vendor patch exists, but the process an organization uses to confirm “we are protected” doesn’t match the process the vendor used to communicate the fix. For SharePoint specifically, the low-privilege exploitation bar means the usual perimeter-first triage logic doesn’t apply — internal segmentation and identity hygiene matter just as much as patch timing here.

Not sure whether your SharePoint environment is still exposed to CVE-2026-45659? Contact DIESEC for a rapid patch verification and Site Member permissions review.

Sources: The Hacker News | BleepingComputer
Published: 2026-07-06 | Category: Vulnerabilities & Patches | ~4 min read