Microsoft SharePoint Server Code Execution Vulnerability Exploited

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has added a newly disclosed Microsoft SharePoint Server vulnerability (CVE‑2026‑45659) to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the flaw is being actively exploited in real‑world attacks. The vulnerability, a deserialization of untrusted data issue (CWE‑502), allows authenticated attackers to execute arbitrary code remotely — posing a serious threat to organizations running on‑premises SharePoint Server for collaboration and document management.

Technical Details

The flaw enables attackers with valid credentials to craft malicious serialized payloads processed by the SharePoint Server, resulting in remote code execution (RCE).

  • Affected Systems: On‑premises Microsoft SharePoint Server deployments.
  • Attack Vector: Authenticated network access via malicious serialized data.
  • Exploit Impact: Execution of arbitrary code within legitimate user contexts.

This type of vulnerability is particularly dangerous because it can bypass traditional security controls when exploited through legitimate user sessions.

Active Exploitation and Urgency

CISA added CVE‑2026‑45659 to the KEV catalog on July 1, 2026, setting a remediation deadline of July 4, 2026 — underscoring the urgency for federal agencies and enterprises to patch immediately.

While there’s no confirmed link to ransomware campaigns yet, active exploitation in the wild elevates its risk profile significantly. CISA’s directive under Binding Operational Directive (BOD) 26‑04 requires organizations to prioritize risk‑based patching and follow vendor mitigation guidance.

Attack Scenario

An attacker could leverage stolen or low‑privilege credentials to gain initial access, then submit a malicious request that triggers the vulnerable deserialization process. Possible outcomes include:

  • Web shell deployment for persistent access.
  • Privilege escalation within SharePoint environments.
  • Data exfiltration and lateral movement across enterprise networks.

Indicators of compromise may include unusual SharePoint activity, unexpected process execution, or anomalous network traffic originating from SharePoint servers.

Mitigation and Response

CISA recommends organizations take the following actions immediately:

  • Apply Microsoft patches or mitigations without delay.
  • Assess internet exposure and restrict external access to administrative interfaces.
  • Implement forensic triage to detect potential breaches.
  • Monitor for anomalous activity and network connections from SharePoint hosts.
  • Review user permissions to limit attack surface.

By prioritizing remediation of KEV‑listed vulnerabilities like CVE‑2026‑45659, organizations can significantly reduce their exposure to ongoing threat campaigns.

Expert in the Cloud Insight

Deserialization flaws remain a persistent risk in enterprise applications because they exploit trusted data flows. The SharePoint Server vulnerability demonstrates how authenticated access can be weaponized to bypass security controls and execute code within legitimate contexts.

For security leaders, the lesson is clear: patch speed is protection. With a 72‑hour remediation window and confirmed exploitation, organizations must treat this as a critical incident — not a routine update. Rapid patching, forensic monitoring, and credential hygiene are essential to prevent SharePoint from becoming an attacker’s launchpad.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.