FALCONINTERNET

SharePoint RCE CVE-2026-45659: CISA Gives You Until July 4 to Patch

Security
SharePoint RCE CVE-2026-45659: CISA Gives You Until July 4 to Patch

When Microsoft published its May 2026 security update for SharePoint Server, the advisory carried a note that has since aged poorly: "Exploitation Less Likely." On July 1, CISA disagreed — quietly and decisively — by adding CVE-2026-45659 to its Known Exploited Vulnerabilities catalog and giving federal civilian agencies until July 4 to apply the patch or pull the plug on affected systems. Private organizations have no formal mandate, but the signal is identical: this vulnerability is being used right now, and has been for long enough that a government agency noticed.

What CVE-2026-45659 Actually Is

CVE-2026-45659 is a remote code execution vulnerability rooted in insecure deserialization of untrusted data inside SharePoint Server. Deserialization bugs are a historically brutal class: an attacker sends a crafted payload that the server's .NET stack unpacks and executes as code, without the server recognizing it as a threat. The CVSS score is 8.8 (High), and the bar to trigger it is deliberately low. Any authenticated user holding Site Member permissions — the default for most internal users — can exploit it over the network. There are no admin rights required, no complex preconditions. If someone holds a valid account and can reach your SharePoint server, they have a path to code execution.

Affected versions are SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. SharePoint Online (Microsoft 365) is not in scope — this vulnerability lives entirely on-premises.

The "Less Likely" Gap

Microsoft's Exploitability Index rating is made at disclosure time, estimating how difficult it would be for an attacker to build a reliable exploit. For deserialization bugs, that's a tricky call: the attack surface can be narrow and exploits finicky to build correctly, but once working they tend to work reliably across targets. CISA does not add vulnerabilities to the KEV list speculatively — the catalog is reserved for flaws with documented in-the-wild exploitation. Its July 1 action carries real weight even without a public attribution, because CISA's threshold is evidence, not probability.

This gap matters beyond this specific CVE. Vendor exploitability ratings reflect pre-patch difficulty at disclosure time, before attackers have had weeks or months to develop tooling. By the time a flaw reaches active exploitation, the window to act has usually been open for a while. The May patch was available for roughly six weeks before CISA confirmed exploitation — that's the window attackers worked in.

Storm-2603: A Group With a History Here

Although CISA has not publicly attributed the CVE-2026-45659 exploitation to a named actor, the timing aligns with documented activity from Storm-2603, a threat group that has been systematically targeting on-premises SharePoint infrastructure since at least March 2025. Trustwave and Microsoft have tracked the group chaining prior SharePoint CVEs — including CVE-2025-49704, CVE-2025-49706, and the ToolShell pair CVE-2025-53770/53771 — to gain initial access, then establishing persistence using Velociraptor running at SYSTEM-level privileges, tunneling outbound traffic via Cloudflare, and maintaining remote access through Zoho Assist and SSH over Visual Studio Code.

Storm-2603's ransomware of choice has been LockBit Black and a variant called Warlock. Their targeting has skewed toward organizations that kept SharePoint Server on-premises specifically for control or compliance reasons — and then left it internet-exposed or inadequately segmented. The irony is consistent: the environments kept off the cloud for caution ended up with a broader attack surface than their cloud-hosted counterparts.

Who Is Exposed and What to Check

If your organization runs any of the three affected SharePoint Server versions on-premises and that server is reachable from a network where user credentials could be compromised — which describes most enterprise networks — you are in scope. The check takes minutes:

  • Open SharePoint Central Administration, go to Upgrade and Patch Management, and confirm the May 2026 cumulative update appears as installed. If it doesn't, you have been exposed since May.
  • Review IIS access logs and SharePoint ULS logs for unusual POST requests to /_vti_bin/ endpoints, especially from service accounts or accounts that do not typically access SharePoint programmatically.
  • Audit Site Member group membership. Compromised service accounts — particularly accounts shared across multiple systems — are a common attacker entry point precisely because their authentication activity blends in.
  • If your SharePoint is internet-facing without a reverse proxy or WAF in front of it, treat that as an aggravating factor and prioritize accordingly.

The patch for each affected version is available in the May 2026 Security Update rollup via the Microsoft Update Catalog or WSUS. Apply it, run the SharePoint Products Configuration Wizard, and restart IIS. Verify the build number in Central Administration reflects the updated version afterward.

The On-Premises Risk Pattern

SharePoint Server vulnerabilities have a reliable pattern: they affect on-premises deployments disproportionately because those environments receive less automatic update pressure than cloud services. Organizations hold onto aging SharePoint Server installations because migration to SharePoint Online is disruptive and expensive, and in the meantime those servers accumulate unpatched CVEs that would have been silently remediated on the cloud version. The same dynamic applies to Exchange, Confluence Server, and any other product with a parallel hosted equivalent.

At Falcon Internet, we see this pattern surface repeatedly in incident reviews — internet-exposed collaboration platforms running behind on patch cadence are among the most consistent entry points into otherwise well-managed environments. Patch cadence matters more than architecture choice. The May fix was ready six weeks ago.

Need this handled instead of explained?

We do this for a living — talk to an engineer about your setup.