CVE-2026-45659 is a remote code execution flaw in on-premises Microsoft SharePoint Server caused by unsafe deserialization of untrusted data. Any authenticated user with only low ("Site Member") privileges can send a crafted request over the network and run code on the underlying server. Microsoft shipped the fix in its May 2026 security updates and initially rated the bug "Exploitation Less Likely" — but on July 1, 2026 CISA added it to the Known Exploited Vulnerabilities (KEV) catalog after confirming real-world attacks, giving federal agencies until July 4, 2026 to patch. At least one attack cluster has been attributed to Storm-2603, a group known for deploying Warlock ransomware against unpatched SharePoint. It carries a CVSS 8.8 rating. If you run SharePoint on-prem and haven’t applied the May 2026 update, treat this as urgent.
What the Vulnerability Is
The flaw is a classic .NET deserialization weakness (CWE-502): SharePoint accepts serialized data from a request and reconstructs objects from it without properly validating their integrity. When an application deserializes attacker-controlled data, a carefully crafted payload can force the runtime to instantiate objects and invoke methods the developer never intended — a well-worn path to code execution on the server.
What makes CVE-2026-45659 dangerous is the low bar to reach the vulnerable code. Microsoft’s advisory notes the attacker only needs to be authenticated as a low-privileged Site Member — not an administrator. On a typical SharePoint deployment, that is a very large population of potential attackers: any user who can be granted membership to a site. Combined with a network attack vector and low attack complexity, a single crafted HTTP request is enough to turn a foothold into full server compromise.
Microsoft’s own severity assessment originally tagged this "Exploitation Less Likely." That prediction did not hold: independent detections of exploitation in the wild led CISA to add the CVE to KEV on July 1, 2026.
Why It Matters
- Active exploitation, confirmed by CISA. This is no longer theoretical — the KEV listing means attacks are happening now.
- Ransomware in the mix. Storm-2603 has a track record of chaining SharePoint bugs into Warlock ransomware deployments. A single unpatched server can become the entry point for encrypting an entire environment.
- Low privilege needed. Any authenticated Site Member can trigger it. In large organizations, low-tier accounts are easy to obtain or compromise.
- SharePoint sits on sensitive data. These servers hold internal documents, credentials, and integrations with the rest of the Microsoft stack — an ideal pivot point.
- On-prem only, but that’s where the risk concentrates. SharePoint Online / Microsoft 365 is not affected; the exposure is the self-managed footprint that organizations must patch themselves.
Am I Affected?
You are exposed if all of the following are true:
- You run on-premises Microsoft SharePoint Server — specifically Subscription Edition, Server 2019, or Enterprise Server 2016.
- The server has not received the May 2026 security update (or any later cumulative update that supersedes it).
- Users other than administrators can authenticate to at least one site (the normal case).
SharePoint Online (part of Microsoft 365) is not affected — this is strictly an on-premises issue. If you are unsure of your patch level, check the installed cumulative/security update against Microsoft’s May 2026 SharePoint advisory for CVE-2026-45659.
What to Do About It: Step-by-Step
Step 1: Apply the May 2026 (or later) SharePoint security update — now
This is the fix. Install the update for your exact product (Subscription Edition, 2019, or 2016) on every SharePoint server in the farm, including all Web Front End and application servers. Do not skip servers; a single unpatched node keeps the farm exposed.
Step 2: Run the Configuration Wizard / PSConfig after patching
On many SharePoint builds the binaries are updated but the fix is not fully applied until the configuration step runs across the farm:
PSConfig.exe -cmd upgrade -inplace b2b -wait -cmd applicationcontent -install -cmd installfeatures -cmd secureresources
Confirm all servers report the same, patched build number afterward.
Step 3: Restrict exposure while you patch
If any SharePoint web front-end is reachable from the internet, put it behind VPN/reverse-proxy access controls or restrict inbound access to trusted networks until every server is confirmed patched.
Step 4: Tighten authentication
Because low-privileged accounts can trigger the flaw, enforce MFA on SharePoint logins, review site membership for stale or over-broad access, and disable unused accounts.
Step 5: Hunt for compromise
Attackers who reached the server may have dropped web shells or created persistence. Review the SharePoint LAYOUTS and web directories for unexpected .aspx/.ashx files, check IIS logs for anomalous POSTs to SharePoint endpoints, and inspect for unexpected w3wp.exe child processes.
Step 6: Rotate secrets if you find any sign of intrusion
Reset the farm account and service credentials, rotate the SharePoint machine keys, and review for new or modified administrative accounts.
Step 7: Confirm against KEV timelines
If you fall under U.S. federal (FCEB) requirements, remediation was due July 4, 2026; everyone else should treat that as the target date too.
Quick-Win Checklist
- Identified every on-prem SharePoint server and its edition/build.
- Applied the May 2026 (or later) security update for CVE-2026-45659 on all farm servers.
- Ran PSConfig/the Configuration Wizard and verified a consistent patched build.
- Removed or gated any internet-facing SharePoint front-end.
- Enforced MFA and pruned stale site memberships / low-tier accounts.
- Reviewed LAYOUTS/web dirs, IIS logs, and processes for web shells or anomalies.
- Rotated farm/service credentials and machine keys if compromise is suspected.