CVE-2026-45659: 4 Things to Know About the SharePoint RCE on CISA KEV
Inhaltsübersicht
1. What the vulnerability actually is
CVE-2026-45659 is a deserialization vulnerability in Microsoft SharePoint Server carrying a CVSS score of 8.8. SharePoint fails to properly validate untrusted data during deserialization, allowing an authenticated attacker to execute arbitrary code remotely on the server with no user interaction required and no administrator privileges needed. The attack complexity is rated Low, meaning no prior knowledge of the target environment is required and the exploit is repeatable once the attacker has a working payload.
Affected versions: SharePoint Server Subscription Edition, SharePoint Server 2019 and SharePoint Enterprise Server 2016. One important administrative note: Microsoft inadvertently omitted CVE-2026-45659 from its May 2026 Security Updates release notes and only corrected the advisory on May 27. Organisations that reviewed May’s patches and saw no SharePoint CVE may have deprioritised the update. That oversight is now the gap active exploitation is moving through.
2. What an attacker needs to exploit it
The authentication requirement is the key constraint and it is a low bar in practice. An attacker needs a minimum of Site Member permissions, the default access level for most employees in enterprise SharePoint deployments. The realistic attack chain: obtain valid SharePoint credentials through phishing, an infostealer infection or credential stuffing against previously leaked passwords, authenticate at Site Member level, submit a crafted deserialization payload and achieve remote code execution on the server.
Post-exploitation from a SharePoint server typically involves webshell deployment for persistent access, lateral movement across the corporate network, document and configuration exfiltration, and in ransomware campaigns, data staging before encryption. SharePoint sits at the centre of enterprise document management and is usually internet-accessible, which is precisely why it is a recurring target for initial access brokers and ransomware operators.
3. Why CISA is flagging it six weeks after the patch
CISA does not add vulnerabilities to the KEV catalog speculatively. A KEV addition confirms verified evidence of active exploitation in the wild. The timing tells its own story: Microsoft originally rated CVE-2026-45659 as “less likely to be exploited” when the May patch shipped. That assessment has been overtaken by confirmed in-the-wild exploitation, which is a pattern that has repeated across SharePoint vulnerabilities throughout 2026.
This is the third SharePoint vulnerability confirmed actively exploited this year. CVE-2026-20963 was added to the CISA KEV on March 18 after confirmed exploitation, that one requiring no authentication at all. CVE-2026-32201, a spoofing vulnerability, was confirmed exploited in May. The pattern is consistent: SharePoint is being systematically targeted in 2026 and the time between patch release and confirmed exploitation has collapsed significantly.
4. What to do right now
- Apply the May 2026 SharePoint update immediately if you have not already. Verify your build numbers in SharePoint Central Administration: SharePoint Server 2019 should be at build 16.0.10416.20004 or later, SharePoint Enterprise Server 2016 at build 16.0.5552.1002 or later.
- Audit Site Member permissions across your SharePoint environment. Review whether contractor accounts, service accounts and legacy accounts have been appropriately scoped or deprovisioned, every one of them is a potential exploitation entry point.
- Hunt for indicators of compromise even if you have patched. Active exploitation was occurring before today’s CISA confirmation. Look for webshells, suspicious scheduled tasks, unknown services and unauthorised file modifications on SharePoint server file systems.
- Review credential exposure for accounts with SharePoint access. Given that exploitation requires valid credentials, any employee credentials circulating on dark web markets or infostealer log repositories represent a direct attack path against this vulnerability.
Valid SharePoint credentials are the prerequisite for this attack. CybelAngel’s credential intelligence monitors dark web markets and infostealer log repositories for employee credentials before they are used in active intrusion attempts. CybelAngel’s Attack Surface Management platform monitors externally exposed SharePoint instances continuously, identifying unpatched versions before active exploitation reaches them.
