SharePoint Deserialization RCE (CVE-2026-45659) Added to CISA's KEV Catalog

CISA confirmed active exploitation of a CVSS 8.8 deserialization flaw in on-prem SharePoint Server, exploitable by any authenticated user with minimal Site Member permissions.

Vulnerability Compliance

CISA has added CVE-2026-45659, a remote code execution vulnerability in on-premises Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The flaw, rated CVSS 8.8, stems from deserialization of untrusted data and affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft shipped a fix in its May 2026 updates but did not publicly flag the issue at the time.

What makes this vulnerability practically dangerous is the low bar for exploitation: any authenticated attacker with a minimum of Site Member permissions can trigger it to execute code remotely — no administrative or elevated access required. Attack complexity is rated Low, meaning the exploit doesn’t require prior reconnaissance of the target environment and is repeatable once an attacker has a working payload. As of this writing, the identity and objectives of the actors exploiting it in the wild remain unconfirmed.

Because SharePoint Server commonly sits at the center of internal document sharing and collaboration, a low-privilege user account — including one obtained through routine phishing or credential reuse — is enough to pivot into full remote code execution on the server itself. Federal agencies were directed to remediate by July 4, 2026, but the same urgency applies to any organization running on-prem SharePoint.

If you operate on-prem SharePoint Server rather than SharePoint Online, verify the May 2026 security update is installed on every server in the farm, not just the ones patched by default policy. Review SharePoint authentication logs for unusual Site Member activity, unexpected process spawning from the SharePoint application pool, or outbound connections initiated by the SharePoint service account — all signs the flaw may already be in use against your environment.

Why it matters: Low privilege requirement plus low attack complexity is a bad combination — any authenticated Site Member is enough to trigger this. If you run on-prem SharePoint Server (Subscription Edition, 2019, or Enterprise 2016), confirm the May 2026 patch is actually installed, not just scheduled.

Read source →