JH← Back to blog

CVE-2026-45659 Is in CISA's KEV Catalog. Your SharePoint Farm Had a Two-Month Head Start — Did You Use It?

The SharePoint Server RCE flaw CVE-2026-45659 was patched in May and is now confirmed under active exploitation. Here's why 'requires authentication' won't save you and what to check today.


Microsoft patched CVE-2026-45659 in May 2026 and rated exploitation "less likely." On July 1, CISA added it to the Known Exploited Vulnerabilities catalog anyway — because attackers are actively using it. That two-month gap between patch available and patch confirmed-exploited is exactly the window most organizations lose to, and if you run on-prem SharePoint, you need to know which side of it you're on today.

What the vulnerability actually is

CVE-2026-45659 is a deserialization-of-untrusted-data flaw in Microsoft SharePoint Server, scored CVSS 8.8. SharePoint accepts serialized objects from users and, under certain conditions, processes them without proper validation. Craft a malicious payload, and the server executes your code — no user interaction needed.

Three editions are affected, all still common in enterprises:

  • SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Enterprise Server 2016

If you applied the May 2026 cumulative updates across your whole farm, you're covered. The attacks CISA is seeing are hitting the organizations that didn't.

Why "requires authentication" is weaker than it sounds

Exploitation does require valid credentials — but only at the Site Member level, the baseline access nearly every employee, contractor, and partner gets by default. That's not a meaningful barrier in 2026. The FortiBleed campaign put over 110 million stolen credentials into circulation this same week, and credential stuffing plus phishing make "authenticated" a checkbox, not a defense. For this CVE, Site Member effectively functions as a skeleton key.

This is also why vendor severity language and attacker behavior diverge. Microsoft's "exploitation less likely" was a theoretical assessment. CISA's KEV listing is an observation of what's actually happening. When the two conflict, believe the KEV catalog.

What a KEV listing obligates you to do

Under BOD 26-04, U.S. federal civilian agencies have three days to remediate a vulnerability of this severity. Private companies aren't legally bound, but treat KEV as the de facto urgency standard anyway — cyber insurers, auditors, and regulators increasingly use it to judge whether you exercised reasonable diligence after a breach. "It wasn't in KEV yet" is a defensible answer; "it was in KEV for six weeks" is not.

What's still unknown: CISA hasn't attributed the exploitation to a specific actor, hasn't confirmed the end goal, and currently lists ransomware use as "Unknown." Read that as "not yet known," not "low risk" — access brokers monetize footholds like this quickly, and a ransomware link surfacing in the coming weeks wouldn't surprise anyone tracking this space.

The checklist for this week

  1. Verify the May 2026 updates on every server in the farm. Not just the primary — multi-server SharePoint farms are notorious for missed nodes, and one unpatched member is enough.
  2. Audit who holds Site Member and above. Stale accounts, contractors whose engagements ended, over-permissioned service accounts — every one of them is now a potential exploitation path.
  3. Turn up SharePoint and IIS logging temporarily. You're looking for anomalous deserialization attempts and unusual POST patterns to SharePoint endpoints.
  4. Enforce MFA on every SharePoint access path. With the privilege bar this low, a second factor is the cheapest mitigation you have — and check whether your domain's credentials have surfaced in recent breach dumps.

The pattern behind the headline

On-prem SharePoint keeps drawing this kind of attention because the installed base is durable and high-value: government, healthcare, and manufacturing sectors that haven't fully migrated to SharePoint Online. A compromised SharePoint server hands an attacker exactly what ransomware affiliates and espionage actors want — an internal foothold plus direct access to an organization's documents. Treat SharePoint security bulletins with domain-controller urgency, because that's the role the box plays for an attacker.

If you haven't verified your SharePoint patch levels this week, do it today, not after the next audit cycle. Pull the farm inventory, cross-reference against the May releases, and prune Site Member access while you're in there. The fix has existed for two months; the only question left is whether you've actually applied it everywhere.