A high-severity SharePoint bug is being exploited in the wild, and the US government has made patching it mandatory for federal agencies. CISA added CVE-2026-45659, a remote code execution flaw in Microsoft SharePoint Server rated CVSS 8.8, to its Known Exploited Vulnerabilities catalog after confirming active attacks. The dangerous detail is the low bar to abuse it: any authenticated user can trigger the flaw, with no admin or elevated privileges required.
- What it is. CVE-2026-45659, a CVSS 8.8 RCE in SharePoint Server caused by deserialization of untrusted data.
- Who can exploit it. Any authenticated user, no elevated privileges needed, which turns any low-value account into a foothold for code execution.
- Why it is urgent. CISA placed it in the KEV catalog citing evidence of active exploitation, making remediation mandatory for federal agencies under BOD 22-01.
- The pattern. It fits 2026's defining trend: software vulnerabilities have overtaken stolen passwords as the top initial-access vector, per Verizon's DBIR.
What is CVE-2026-45659?
A remote code execution vulnerability in Microsoft SharePoint Server that arises from the deserialization of untrusted data. Deserialization bugs are a classic and dangerous class: when an application reconstructs an object from incoming serialized bytes without validating them, a crafted payload can smuggle in instructions that execute during reconstruction. Microsoft rated this one CVSS 8.8, and the crucial characteristic is that triggering it requires only an authenticated session, not administrative access. In a typical enterprise SharePoint deployment, that means any employee account, or any account an attacker has already phished or bought, is enough to reach code execution on the server.
RelatedAirDrop and Quick Share Flaws Expose Billions of Phones
Why does the CISA KEV listing raise the stakes?
Because the KEV catalog is not a theoretical severity list, it is a record of vulnerabilities confirmed to be under active exploitation. When CISA adds an entry, US federal civilian agencies are bound by Binding Operational Directive 22-01 to remediate it within a set deadline, and the wider security community treats a KEV listing as a signal to patch immediately rather than schedule it. For a product as widely deployed inside enterprises and governments as SharePoint, active exploitation of a low-privilege RCE is close to a worst case: the software holds sensitive documents, sits deep inside corporate networks, and often trusts internal users implicitly.
How does this fit the broader 2026 threat picture?
It is a textbook example of the year's dominant trend. Verizon's 2026 Data Breach Investigations Report found that software vulnerabilities have overtaken stolen credentials as the top way attackers gain initial access, a genuine shift in where defenders should focus. The same report notes generative AI is accelerating every stage of an attack, from spotting weaknesses to writing working exploits. That compression is visible elsewhere in 2026: the PraisonAI flaw saw exploitation attempts less than four hours after public disclosure. A deserialization RCE in ubiquitous enterprise software, exploitable by any logged-in user, is exactly the kind of target this faster, vulnerability-first attacker economy prioritizes.
- Patch now. Apply Microsoft's SharePoint update immediately; do not wait for a maintenance window on a KEV-listed RCE.
- Audit accounts. Any authenticated user can exploit this. Review low-privilege and stale accounts as potential footholds.
- Hunt for compromise. Active exploitation means check logs for anomalous SharePoint requests and post-exploitation activity, not just patch status.
- Deserialization everywhere. This class recurs. Watch for related advisories across enterprise middleware.
What should defenders do in the first 24 hours?
Prioritize by exposure, not by the usual patch calendar. Internet-facing SharePoint deployments come first, since those are the ones attackers can reach without already being inside the network, followed by internal instances that hold sensitive documents. Apply Microsoft's update immediately, then assume the possibility of prior compromise: review SharePoint request logs for anomalous serialized payloads and unexpected process execution, and check for the web shells and persistence mechanisms that typically follow a deserialization RCE. Because any authenticated account is a viable launchpad, rotate credentials for service and low-privilege accounts that touch SharePoint, and tighten monitoring on them. Organizations bound by BOD 22-01 have a hard remediation deadline, but everyone else should treat the KEV listing as the same signal: this is being exploited now, and detection matters as much as patching.
RelatedDuneSlide Turns a Cursor Prompt Into Full Code Execution
Our take
Treat this as a patch-tonight item, not a patch-Tuesday item. The combination that makes CVE-2026-45659 dangerous is not any single attribute but their overlap: it is a code-execution bug, it needs only an ordinary authenticated session, it lives in software that sits at the center of enterprise document workflows, and it is already being exploited. That is precisely the profile the 2026 DBIR flags as the new normal, where software flaws beat stolen passwords as the front door and AI-assisted tooling shrinks the window between disclosure and mass exploitation. Patching is necessary but not sufficient here, because active exploitation means some environments are likely already touched, so pair the update with log review and a hard look at which low-privilege accounts could quietly become a launchpad. The organizations that get burned by this one will be the ones that saw "authenticated only" and downgraded the urgency.
- OfficialCISA KEV Catalog , authoritative exploited-vulnerability list
- OfficialMicrosoft Security Update Guide , CVE-2026-45659 advisory and patch
- ReferenceVerizon 2026 DBIR , vulnerabilities overtaking credentials
Original analysis by GenZTech. Figures current as of July 2026. Source: cisa.gov
