>samit_hota
Back to advisories
SH-2026-083HighMitigated

CISA Adds Actively Exploited SharePoint RCE (CVE-2026-45659) to KEV Catalog

Samit Hota·
CVE ID
CVE-2026-45659
CVSS Score
N/A
Affected Products
Microsoft SharePoint Server
#news#sharepoint

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a significant warning by adding a high-severity vulnerability in Microsoft SharePoint Server, identified as CVE-2026-45659, to its Known Exploited Vulnerabilities (KEV) Catalog. This addition signifies that the vulnerability is not merely a theoretical risk but has been actively exploited in real-world attacks. Organizations worldwide relying on Microsoft SharePoint Server for collaboration and content management are urged to take immediate action to mitigate the risks associated with this flaw.

Technical Details

CVE-2026-45659 is categorized as a remote code execution (RCE) vulnerability with a CVSS score of 8.8, indicating its high severity. The root cause of this vulnerability stems from the deserialization of untrusted data. In essence, this means that SharePoint Server improperly handles data that it receives from external or untrusted sources, allowing an attacker to inject malicious code during the deserialization process. This malicious code can then be executed with the privileges of the SharePoint application, potentially leading to full compromise of the server. Microsoft had previously released a patch for this vulnerability during its May update cycle; however, the corresponding security bulletin detailing the flaw was not published until May 21, leaving defenders unaware of the critical risk for several weeks. This delay between patch availability and public disclosure created a window of opportunity for threat actors to exploit the unpatched vulnerability before organizations were fully aware of the threat.

Real-World Impact

The active exploitation of CVE-2026-45659 poses a substantial threat to organizations globally. A successful RCE attack on a SharePoint server can grant an attacker extensive control over the compromised system. This includes the ability to install malware, exfiltrate sensitive data stored within SharePoint, modify or delete content, or even establish persistent access to the broader corporate network. Given that SharePoint often houses critical business documents, intellectual property, and internal communications, the compromise of such a server could lead to severe data breaches, operational disruptions, and significant reputational damage. The fact that CISA has added this to its KEV catalog underscores the immediate and proven danger this vulnerability presents to both federal agencies and private sector organizations.

Threat Landscape

Microsoft SharePoint Server remains a highly attractive target for cyber attackers due to its pervasive use in enterprise environments and the valuable data it typically contains. RCE vulnerabilities are among the most critical types, as they directly enable attackers to gain control over systems. The delay in the public disclosure of the security bulletin for CVE-2026-45659 meant that threat actors had a head start in developing and deploying exploits before many organizations could react. This incident serves as a stark reminder that even patched vulnerabilities can remain a significant risk if the details and urgency of remediation are not immediately communicated. Attackers constantly monitor for new disclosures and promptly reverse-engineer patches to develop exploits, emphasizing the need for swift and comprehensive vulnerability management programs.

Remediation

Organizations must prioritize the immediate application of the security updates for CVE-2026-45659 if they have not already done so. It is crucial to ensure that all Microsoft SharePoint Server instances are fully patched to address this remote code execution vulnerability. For federal civilian executive branch (FCEB) agencies, CISA’s Binding Operational Directive (BOD) 26-04 mandates the rapid remediation of vulnerabilities listed in the KEV Catalog, especially for publicly exposed assets. While BOD 26-04 applies to federal agencies, CISA strongly encourages all organizations to adopt a risk-based vulnerability management approach and prioritize the patching of KEV catalog vulnerabilities. Beyond patching, organizations should conduct a thorough forensic analysis to determine if their SharePoint servers were compromised prior to applying the patch. This includes reviewing server logs, network traffic, and SharePoint audit trails for any indicators of compromise (IoCs) or unauthorized access. Implementing robust endpoint detection and response (EDR) solutions and network intrusion detection systems (NIDS) can aid in detecting and preventing exploitation attempts. Regular security audits and penetration testing of SharePoint deployments are also recommended to identify and address potential weaknesses proactively.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call