Jul 06, 2026 · 7 min read
SharePoint Flaw Microsoft Called Safe Is Now Under Attack
CISA added CVE-2026-45659, a CVSS 8.8 remote code execution flaw in on premises SharePoint Server, to its Known Exploited Vulnerabilities catalog on July 1, 2026 — despite Microsoft's own advisory rating exploitation "less likely" when it patched the bug two months earlier.
Microsoft rated it "Exploitation Less Likely." CISA disagreed, and now every SharePoint admin who trusted that label is scrambling. On July 1, 2026, CISA added CVE-2026-45659, a CVSS 8.8 remote code execution flaw in on premises SharePoint Server, to its Known Exploited Vulnerabilities catalog after confirming attackers are already using it in the wild.
The gap between Microsoft's forecast and reality matters because patch prioritization decisions get made on exactly that kind of label. Teams triaging a stack of May patches likely pushed this one down the queue. Two months later, it's the thing actively getting exploited.
Key Takeaways
- CVE-2026-45659 is a CVSS 8.8 deserialization vulnerability (CWE-502) in on premises Microsoft SharePoint Server, patched by Microsoft in May 2026.
- CISA added the flaw to its Known Exploited Vulnerabilities catalog on July 1, 2026, confirming active in the wild exploitation despite Microsoft's original "Exploitation Less Likely" rating.
- Any authenticated attacker with only Site Member permissions, not admin or elevated access, can trigger remote code execution over the network.
- CISA set a Federal Civilian Executive Branch patch deadline of July 4, 2026, a date that has already passed as of this writing.
- Public reporting has not identified who is behind the exploitation or confirmed a link to any named ransomware operation.
What Is CVE-2026-45659?
CVE-2026-45659 is a remote code execution vulnerability caused by deserialization of untrusted data in on premises SharePoint Server. It carries a CVSS score of 8.8 and affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, according to The Hacker News.
Deserialization bugs like this one, tracked under CWE-502, happen when an application takes untrusted input and converts it back into objects or code without validating what's inside first. In SharePoint's case, that means a request from an authenticated but low privilege user can end up executing arbitrary code on the server.
Microsoft shipped the fix in its May 2026 security updates. Oddly, the CVE was left out of Microsoft's initial patch Tuesday summary that month, a detail flagged by SOCRadar and one that likely contributed to how quietly this patch got deprioritized across affected organizations.
Why Did Microsoft Think Exploitation Was Unlikely?
Microsoft's own security advisory rated exploitation of CVE-2026-45659 as "Exploitation Less Likely," a standard label the company assigns based on internal analysis of how hard a bug is to weaponize. That rating turned out to be wrong. CISA's KEV addition on July 1 confirmed the opposite: attackers were already exploiting the flaw in production environments.
Vendor exploitability predictions are educated guesses made before a bug is public, and threat actors routinely prove those guesses wrong once they reverse engineer a patch. Security teams that use vendor severity labels as their sole patch prioritization signal are, in effect, outsourcing risk decisions to a forecast with a spotty track record. NVD's entry for CVE-2026-45659 documents the technical scoring, but the real lesson here is procedural: a CVSS 8.8 deserialization RCE in internet facing collaboration software should get patched fast regardless of what the "likelihood" field says.
Why Is Site Member Access Enough to Cause Damage?
Site Member is enough because SharePoint's permission model treats it as a routine, default level, not a privileged one. CISA's advisory notes that a network based attacker only needs authenticated access at the Site Member level, not Site Owner or Farm Administrator, to trigger remote code execution.
That is a meaningfully low bar. In most enterprise SharePoint deployments, Site Member is handed out broadly, often to every employee added to a project site, a department hub, or a shared document library. Unlike vulnerabilities that require admin credentials or a chain of privilege escalation steps, this one only needs an account that countless ordinary users already hold.
Who Is Exploiting It?
Nobody has publicly confirmed it yet. As of this writing, security researchers and CISA have not identified the threat actor or actors behind the active exploitation, nor has the activity been tied to a specific named ransomware group. SecurityWeek reported that the full exploitation chain, including how attackers are chaining the deserialization bug into follow on actions like web shell deployment or data exfiltration, also remains undisclosed.
SharePoint's most notorious 2025 incident, the "ToolShell" chain involving CVE-2025-49706 and CVE-2025-49704, was eventually linked to ransomware operators deploying Warlock ransomware on compromised servers, per Unit 42's threat brief. Attribution and impact details for CVE-2026-45659 may simply be lagging behind the initial KEV listing, the same pattern seen with ToolShell before the fuller picture emerged weeks later. SharePoint has also been abused outside pure RCE exploitation: a separate 2026 campaign used phishing emails that abused SharePoint file sharing links to steal energy sector credentials, a reminder that the platform draws sustained attacker interest across multiple attack styles, not just one bug at a time.
Why Does the July 4 Deadline Still Matter?
CISA's Binding Operational Directive process gave Federal Civilian Executive Branch agencies until July 4, 2026, to apply the SharePoint fix, a deadline that has already passed as of today. Federal agencies past the deadline still need to patch immediately and should assume they are behind adversaries who have had a working exploit since at least late June.
For private sector organizations, KEV deadlines are not legally binding, but they function as an authoritative signal. If CISA tells federal agencies to fix something within three days of a KEV listing, that reflects how urgently anyone running the affected software should move. Hospitals, universities, manufacturers, and any business running on premises SharePoint should read the July 4 date as a floor, not a federal only requirement.
Why Developers and Engineers Should Care
For engineering teams, this is a reminder that vendor risk ratings are inputs to a patch prioritization decision, not the decision itself. A CVSS 8.8 deserialization bug in internet facing collaboration infrastructure deserves urgent treatment on its technical merits, independent of whether Microsoft labels exploitation as likely or unlikely. Teams that build patch SLAs around CVSS score and exposure, rather than vendor exploitability commentary, would have already closed this one out before CISA's KEV listing forced the issue.
This also isn't an isolated incident. CVE-2026-45659 is at least the third actively exploited SharePoint vulnerability disclosed in 2026, following other actively exploited SharePoint bugs earlier in the year and Microsoft's broader run of monthly patch cycles addressing zero days across its stack. SharePoint sits at the center of document storage, intranet portals, and workflow automation for a huge share of enterprises, and it's frequently integrated tightly with Exchange and Outlook for notifications and document sharing. That integration means a compromised SharePoint server isn't just a document leak risk, it's a potential pivot point into the rest of an organization's Microsoft 365 environment. Engineering and IT teams already tracking Microsoft's patch Tuesday cadence should treat SharePoint as a recurring, not one time, area of exposure. The window between patch and attack keeps shrinking across vendors too: Adobe's maximum severity ColdFusion flaw was exploited within two hours of disclosure in early July.
What to Do Right Now
If your organization runs on premises SharePoint Server Subscription Edition, SharePoint Server 2019, or SharePoint Enterprise Server 2016, confirm the May 2026 security update is actually installed, don't assume it went through just because it shipped two months ago. Audit who holds Site Member permissions across your SharePoint farm and tighten access where it's broader than necessary; this bug turns a permission level most companies treat as harmless into a remote code execution vector. Review SharePoint server logs and endpoint detection tooling for anomalous process activity or unusual outbound connections, since public reporting hasn't yet detailed indicators of compromise. If patching isn't immediately possible, restrict external network access to SharePoint servers and monitor authentication logs for unusual Site Member level activity. Given how quickly Microsoft's "less likely" rating was proven wrong, treat any future SharePoint advisory, regardless of its exploitability label, as a patch now item rather than a patch eventually one.