SharePoint RCE now on CISA KEV: patch it this week, not next
CISA added CVE-2026-45659, a high-severity SharePoint Server deserialization RCE, to the Known Exploited Vulnerabilities catalog on July 2 after confirming active exploitation. Microsoft's May patch is your remediation.
CISA added CVE-2026-45659, a high-severity remote-code-execution flaw in on-premises Microsoft SharePoint Server, to the Known Exploited Vulnerabilities catalog on July 2 after confirming exploitation in the wild. Microsoft shipped a fix for this bug in its May 2026 security update. If your SharePoint farm still isn’t on that update, that’s the priority for this week — everything else can wait.
What changed
The vulnerability is a deserialization-of-untrusted-data flaw in SharePoint Server that ends in code execution as the SharePoint service account. Microsoft rates it 8.8 on CVSS 3.1, which is the score used in both the MSRC advisory and the NVD record. The Hacker News, reporting on the KEV addition on July 2, noted the same CVSS score and the deserialization root cause; BleepingComputer’s coverage the same day confirmed CISA’s active-exploitation determination.
That timeline is the story: patched in May, sitting on KEV in July. Somewhere between “patched” and “KEV,” attackers found unpatched instances and started using them. That is the pattern for on-prem SharePoint every time — ProxyLogon was the same shape of problem, just on Exchange.
What to actually do
Priority one, this week:
- Apply Microsoft’s May 2026 SharePoint security update to every on-premises SharePoint farm — Subscription Edition, 2019, and any older still-in-support build. If you have anything past end-of-support (2016, 2013), the update won’t reach it and the farm needs to come off the internet or off entirely.
- If patching this week is genuinely not possible, take the SharePoint server off the public internet until it is. A KEV-listed deserialization RCE on an internet-exposed content server is not a “we’ll get to it” bug.
- Confirm SharePoint is logging authentication and application errors somewhere you actually look. Post-patch, hunt for anomalous child processes of the SharePoint worker process and for unexpected
.aspxfiles written under the web root over the last 60 days.
Priority two, once patched:
- Rotate the SharePoint service account credentials and any application credentials stored inside SharePoint pages or lists. Deserialization RCE runs as that service account; assume anything it could reach has been reachable.
- Review outbound traffic from the SharePoint server over the last 60 days for anything that doesn’t fit its normal profile — patch downloads, Windows Update, and internal AD chatter, mostly. Anything else is worth an hour.
Federal civilian agencies are already under a KEV due date to remediate. Everyone else — KEV listings are the honest signal that mass scanning and exploitation are underway right now, not the opening bid.
Sourcing
- Microsoft Security Response Center advisory: MSRC — CVE-2026-45659
- CISA Known Exploited Vulnerabilities catalog: cisa.gov/known-exploited-vulnerabilities-catalog
- NVD record: NVD — CVE-2026-45659
- The Hacker News: SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation
- BleepingComputer: CISA: Microsoft SharePoint RCE flaw now actively exploited
Found this useful? Share it.


