Microsoft SharePoint is back on the emergency list. On July 2, CISA added CVE-2026-45659, a high-severity remote-code-execution flaw in on-premises SharePoint Server, to its Known Exploited Vulnerabilities catalog after confirming attackers are actively using it. The bug scores 8.8 and stems from the deserialization of untrusted data, and Microsoft shipped a fix back in May. The uncomfortable part is the gap between those two dates: any organization still running an unpatched on-prem SharePoint has been exposed for weeks, and the KEV listing means the exploitation is no longer theoretical.
- CVE-2026-45659 is a remote-code-execution flaw in on-premises Microsoft SharePoint Server, CVSS 8.8.
- CISA added it to the KEV catalog on July 2 after confirming active exploitation in the wild.
- The root cause is unsafe deserialization of untrusted data, letting an attacker run code on the server.
- Microsoft patched it in May 2026, so this is an exposure of unpatched systems, not a zero-day.
What is CVE-2026-45659?
It is a remote-code-execution vulnerability in on-premises SharePoint Server caused by deserialization of untrusted data. Deserialization is the process of turning stored or transmitted bytes back into live program objects, and it becomes dangerous when a server does it to data an attacker controls without validating it first. In this class of bug, a carefully crafted serialized payload can trick the server into constructing objects that execute attacker-chosen code during the reconstruction, no valid credentials required in the worst cases. Because SharePoint is a document and collaboration hub that usually sits deep inside corporate networks and holds sensitive files, an RCE there is not just one compromised box, it is a foothold with reach into the rest of the organization.
RelatedKDDI Breach Exposes 14M Users, Passwords in Plaintext
Why does the KEV listing change the urgency?
Because it converts a patch you meant to get to into one you are now on the clock for. CISA's Known Exploited Vulnerabilities catalog is a curated list of flaws confirmed to be under active attack, and getting added is the agency's clearest signal that exploitation is real and ongoing rather than proof-of-concept. For US federal civilian agencies, a KEV entry carries a binding remediation deadline, and for everyone else it is the strongest possible nudge that this specific bug should jump the patch queue. The listing also tells defenders something practical: attackers already have working exploit code and are scanning for exposed servers, so the window to patch quietly, before someone tries your instance, has effectively closed.
| Detail | CVE-2026-45659 |
|---|---|
| Product | On-prem SharePoint Server |
| Type | Remote code execution |
| Root cause | Deserialization of untrusted data |
| CVSS | 8.8 (high) |
| Patched | May 2026 |
| KEV added | July 2, 2026 (active exploitation) |
Who is exposed, and what should they do?
The at-risk group is specific: organizations running on-premises SharePoint Server that did not apply Microsoft's May update. SharePoint Online, the cloud version, is maintained by Microsoft and is not the target here, which is a reminder of one of the quiet security advantages of managed services. For on-prem operators, the response is unambiguous. Apply the May 2026 SharePoint update immediately if you have not. Then, because the bug has been exploitable for weeks, treat patching as necessary but not sufficient: hunt for signs of prior compromise, unexpected processes, new web-shell files in SharePoint directories, suspicious outbound connections and unfamiliar administrative accounts, on the assumption that a determined attacker may have already been in before you closed the door. Where immediate patching is impossible, restricting network exposure of the SharePoint server buys time.
Why does this keep happening to SharePoint?
Because it is a high-value, widely deployed, complex application with a long history of deserialization issues, and that combination is catnip for attackers. Enterprise collaboration servers are exactly the machines worth breaking into: they hold documents, sit inside the trust boundary, and often connect to identity and file systems across the org. SharePoint's size and age mean a large attack surface and a steady stream of newly found flaws, and the .NET deserialization pattern behind this CVE has produced server-side RCE bugs across the industry for years. The uncomfortable pattern here is not really about one product, it is about patch latency: the fix existed in May, the exploitation is confirmed in July, and the entire risk lives in that gap. Attackers have industrialized the reverse-engineering of patches into working exploits, so the time defenders have to act keeps shrinking.
RelatedDirtyClone Hands Local Root on Default Linux Systems
- Patch now. Apply the May 2026 SharePoint update on every on-prem server today if it is still missing.
- Assume breach. Given weeks of exposure, hunt for web shells and anomalous accounts, do not just patch and move on.
- Federal deadline. The KEV entry sets a binding remediation date for US civilian agencies; expect broad patching pressure.
- Copycats. With exploit code circulating, expect scanning for unpatched instances to spike in the days after listing.
Our take
This one should not be scary, and that is exactly why it is worrying. There is no zero-day drama here: Microsoft found the flaw, shipped a fix in May, and did its job. The danger is entirely in the operational gap that follows, the stretch of time between a patch existing and an organization actually applying it, and that gap is where a huge share of real-world breaches now live. The lesson of CVE-2026-45659 is the same one the industry keeps relearning: for internet-facing, high-value software like SharePoint, a patch you have not deployed is worth nothing, and attackers have gotten frighteningly fast at turning a public fix into a working weapon. If you run on-prem SharePoint, the move is not to panic, it is to patch today and then check whether someone got there first, because the KEV listing is CISA telling you plainly that they are trying.
- OfficialCISA KEV catalog the authoritative list of actively exploited flaws
- VendorMicrosoft Security Update Guide the SharePoint advisory and patch details
- ReferenceNIST National Vulnerability Database CVE-2026-45659 scoring and technical record
Original analysis by GenZTech. Advisory status current as of July 2026. More at CISA.
