CISA Microsoft SharePoint RCE flaw (CVE-2026-45659) Actively Exploited
cisamicrosoft sharepointcve-2026-45659rceknown exploited vulnerabilitiespatch managementcybersecuritydeserialization flawsharepoint server 2019sharepoint server subscription editionactive exploitationenterprise security

CISA Microsoft SharePoint RCE flaw (CVE-2026-45659) Actively Exploited

How an Omitted SharePoint Patch Left Enterprises Exposed to RCE

The addition of CVE-2026-45659, a high-severity SharePoint RCE flaw in Microsoft SharePoint, to CISA's Known Exploited Vulnerabilities (KEV) catalog on Wednesday, July 1, 2026, signals active exploitation and an immediate threat. Organizations can monitor the official CISA KEV catalog for the latest updates on actively exploited vulnerabilities.

Microsoft issued an out-of-band patch in late May 2026. However, organizations relying exclusively on official monthly bulletins likely missed this update. This delay and gap in communication is precisely what threat actors exploit for initial access, turning a known SharePoint RCE flaw into a widespread compromise vector.

The SharePoint RCE: What Actually Happened

CVE-2026-45659 entered the KEV catalog due to observed active exploitation. This deserialization flaw, which carries a high CVSS score, allows an authenticated attacker to execute arbitrary code on vulnerable SharePoint servers. This particular SharePoint RCE flaw represents a significant risk due to its ease of exploitation.

Exploitation requires only Site Member permissions, and does not necessitate elevated privileges or complex configurations. Microsoft's initial assessment of "Exploitation Less Likely" proved inaccurate, as evidenced by CISA's KEV listing. The vulnerability impacts SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Server 2016, and SharePoint Enterprise Server 2016. Federal agencies face a mandated patching deadline of Saturday, July 4, 2026, under a CISA Binding Operational Directive, underscoring the urgency of this threat and the severity of this SharePoint RCE flaw.

How a Deserialization Bug Becomes Remote Code

CVE-2026-45659 stems from a deserialization vulnerability, a common class of bug where an application processes serialized data from an untrusted source. If an attacker can manipulate this data stream, they can inject malicious code that executes during the reconstruction of the object, leading to remote code execution. This is the core mechanism behind the SharePoint RCE flaw.

In the case of CVE-2026-45659, an attacker with Site Member access crafts a malicious payload. This payload is sent to the SharePoint server, typically via a legitimate, yet vulnerable, input. The server attempts to deserialize the input, executing the attacker's code and granting remote control over the SharePoint instance. Exploitation is notably easy and repeatable, not requiring significant prior system knowledge.

While a patch exists, this remains an actively exploited N-day vulnerability. Its danger lies in the low barrier to entry: attackers need only basic knowledge, rather than deep system expertise, to craft the necessary gadget chain to trigger this SharePoint RCE flaw.

Conceptual diagram showing a malicious payload exploiting a SharePoint RCE flaw via deserialization.
Conceptual diagram showing a malicious payload exploiting

Figure 1: Conceptual diagram illustrating the flow of a malicious deserialization payload leading to remote code execution on a SharePoint server.

The Real Impact: Understanding the Severity

SharePoint environments are high-value targets. They house contracts, internal documents, intellectual property, and sensitive employee data. An RCE on SharePoint isn't just a server compromise; it's a direct pathway to critical business assets. Post-exploitation, an attacker can establish persistence, deploy webshells, move laterally across the network, and exfiltrate data. The potential for data breach and operational disruption from this SharePoint RCE flaw is immense.

Large enterprises often rely on scheduled monthly updates, missing out-of-band releases unless a major public alert is issued. Such delays can leave entire environments exposed for weeks, even months, making them prime targets for exploitation of this kind of SharePoint RCE flaw.

The ease of exploitation and potential for persistent access are key concerns. SharePoint is a consistent target, and an RCE with minimal privilege requirements represents a significant threat. The challenge extends beyond simply applying patches; it involves maintaining visibility into *which* patches are truly critical and understanding the full scope of a SharePoint RCE flaw.

Addressing the Vulnerability: Lessons for Enterprise Security

Microsoft released the patch in May 2026, and CISA has directed organizations to patch affected SharePoint servers without delay, including the Subscription Edition, Server 2019, and Server 2016 variants. Addressing this specific SharePoint RCE flaw is an immediate priority for all affected organizations.

This incident, however, points to a broader challenge in enterprise patch management. Relying solely on vendor bulletins, especially for out-of-band updates, can leave gaps in an organization's security posture. Effective defense requires a strategy that accounts for the nuances of out-of-band updates and active exploitation, particularly for a critical SharePoint RCE flaw.

This incident underscores the necessity of proactive vulnerability scanning. Organizations must move beyond passively awaiting vendor advisories, actively auditing their environments for known vulnerabilities. Supplementing vendor feeds with independent threat intelligence from sources like CISA's KEV catalog, security researchers, and specialized platforms provides a more complete, real-time picture of emerging threats.

The rapid addition of this SharePoint RCE flaw to the KEV catalog highlights the dynamic nature of cyber threats. Enterprises must integrate real-time threat intelligence feeds, not just CISA's, but also from industry-specific ISACs (Information Sharing and Analysis Centers) and reputable security vendors. This multi-source approach ensures that even obscure or rapidly emerging threats, like this particular deserialization vulnerability, are identified and prioritized for remediation before they can lead to a full compromise. Understanding the attacker's perspective and common exploitation techniques for a SharePoint RCE flaw is crucial for building resilient defenses.

A robust, repeatable patch management process is critical for identifying, testing, and deploying all updates, particularly out-of-band releases like the one for CVE-2026-45659. Furthermore, foundational security controls such as network segmentation can significantly limit the blast radius of a SharePoint RCE, preventing lateral movement to other critical systems even if initial compromise occurs.

Beyond these immediate steps, a comprehensive, layered security strategy is paramount. This includes implementing Web Application Firewalls (WAFs) to detect and block malicious payloads targeting SharePoint, employing Endpoint Detection and Response (EDR) solutions on servers to identify suspicious activity, and regularly conducting penetration testing to uncover potential weaknesses before attackers do. The goal is to create multiple hurdles for an attacker, making the exploitation of a SharePoint RCE flaw significantly more difficult and detectable, even if an initial vulnerability is present.

Beyond patching, continuous monitoring for post-exploitation activity—including webshells, unusual process execution, or suspicious network connections on SharePoint servers—remains a vital defense layer against already exploited N-day vulnerabilities.

Timeline of the SharePoint RCE flaw (CVE-2026-45659) from patch release to CISA KEV listing and federal deadline.
Timeline of the SharePoint RCE flaw (CVE-2026-45659)

Figure 2: Timeline of CVE-2026-45659, from patch release to CISA KEV listing and federal agency deadline.

The discrepancy between Microsoft's initial "Exploitation Less Likely" assessment and CISA's KEV listing highlights a critical gap in threat perception. Organizations should not operate under the assumption of vendor infallibility. This SharePoint RCE flaw demonstrates that even with available patches, clear and timely communication is just as crucial as the technical patch. Attackers consistently target the easiest vulnerabilities; a high-severity RCE with low privilege requirements, especially one initially overlooked, represents precisely that.

Ultimately, the SharePoint RCE flaw serves as a stark reminder that security is an ongoing process, not a one-time fix. Proactive threat hunting, continuous vulnerability management, and a culture of security awareness are essential to protect high-value assets like SharePoint environments from sophisticated and rapidly evolving threats. The lessons from CVE-2026-45659 are clear: assume compromise, verify everything, and prioritize out-of-band patches for critical vulnerabilities, especially those flagged by CISA as actively exploited.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.