Our Blog

Cybersecurity SOC dashboard comparing CVSS vulnerability severity with EPSS and CISA KEV exploitation signals, highlighting flawed vulnerability prioritisation models

Weekly CISA KEV Updates: 06 July 2026 - One New Known Exploited Vulnerabilities Added

Audience: Vulnerability Managers, Security Operations, CISOs, DevSecOps Teams
Reading Time: Approximately 15 minutes

 

This Week's KEV Additions

CVE ID Vendor / Product CVSS Date Added CISA Due Date Exploitation Type EPSS Reachability
CVE-2026-45659 Microsoft SharePoint Server 8.8 (High) 1 July 2026 4 July 2026 Remote Code Execution (Authenticated) 2.78% Network (AV:N; Requires Site Member Permissions)

 

Analysis

CVE-2026-45659 - Microsoft SharePoint Server

 

What it is

A deserialization vulnerability that enables an authenticated attacker with low-level SharePoint permissions to execute arbitrary code remotely on vulnerable SharePoint servers.

 

Affected versions

Affected products include:

→ Microsoft SharePoint Server 2016

→ Microsoft SharePoint Server 2019

→ Microsoft SharePoint Server Subscription Edition before version 16.0.19725.20280

Microsoft has published updated build versions through the Microsoft Security Response Center (MSRC).

 

Exploitation status

Active exploitation confirmed.

CISA added the vulnerability to the Known Exploited Vulnerabilities Catalog on 1 July 2026 following confirmation that exploitation has been observed in the wild. One critical administrative caveat is that Microsoft inadvertently omitted CVE-2026-45659 from its initial May 2026 Patch Tuesday release logs and only updated the advisory on May 27. This visibility gap left many defenders unaware of the underlying risk, enabling a longer window of exploit development.

 

Patch available

Yes.

 

Microsoft addressed the vulnerability through the May 2026 SharePoint security updates.

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659

 

CISA due date

4 July 2026.

Note: This deadline applies to U.S. Federal Civilian Executive Branch agencies. All organisations should treat the KEV inclusion as an operational priority regardless of regulatory obligations.

 

Operational risk

SharePoint remains a widely deployed collaboration platform that frequently stores sensitive business documents and integrates with enterprise identity infrastructure. Because exploitation requires only authenticated low-privilege access (the standard Site Member contributor role), organisations should not assume external perimeter controls alone provide adequate protection. Internet-facing deployments, third-party access, compromised user accounts and insider abuse scenarios all increase exposure, making this a higher operational priority than its CVSS score alone may suggest.

 

Exploitation Context

This week's KEV activity highlights persistent threat actor interest in core on-premises data silos. Threat intelligence indicates that sophisticated, financially motivated operators and ransomware groups—such as Storm-2603—regularly weaponize SharePoint vulnerabilities to obtain immediate network staging points and deploy extortion campaigns.

 

For defenders, the absence of broader campaign telemetry across certain sectors should not reduce remediation urgency. The prerequisite for this exploit is simply valid low-privilege credentials; consequently, any employee credentials active on infostealer marketplaces present a direct compromise pathway.

 

Remediation Priorities

Priority CVE Recommended Action Timeline
Critical CVE-2026-45659 Patch SharePoint servers immediately, verify internet exposure, validate successful update installation, review authentication activity, and investigate for signs of compromise. Immediate

 

Detection and Monitoring Guidance

 

CVE-2026-45659

Relevant log sources

→ Microsoft SharePoint ULS Logs

→ Windows Event Logs

→ IIS Logs

→ Microsoft Defender for Endpoint

→ Microsoft Defender for Identity

→ Microsoft Sentinel

→ Active Directory Authentication Logs

 

Event IDs / Processes

Windows Security Event ID 4688: Track anomalous child processes executing underneath the w3wp.exe or OWSTIMER.EXE binaries. Look explicitly for cmd.exe, powershell.exe, or runtime compilation tools like csc.exe.

Windows Security Event ID 4624: Audit spikes in successful, low-privileged user authentications immediately preceding anomalous application modifications or heavy document directory access.

 

Behavioral indicators

→ Unusual SharePoint application behavior

→ Unexpected child processes spawned by IIS worker processes

→ Suspicious PowerShell execution originating from SharePoint service groups

→ Authentication from unusual geographic locations followed by SharePoint administrative activity

→ Unexpected outbound network connections initiated by SharePoint servers

 

Threat hunting starting points

→ Review recent authentication activity involving low-privileged SharePoint accounts to look for signs of credential theft.

→ Search for unusual process execution originating from SharePoint application pools.

→ Investigate newly created scheduled tasks, modification of system components, or persistence mechanisms within the web root.

→ Examine SharePoint servers for abnormal outbound communications or unauthorized remote management installations.

 

Detection content

Sigma Rules: Deploy standardized community rules targeting Web Server Web Shell Creation or Suspicious Child Processes of IIS (w3wp) to flag immediate code drops.

YARA Rules: Use logic rules optimized to scan web-facing assets (specifically the SharePoint LAYOUTS structure) for newly dropped .aspx files or web shell variants.

Vendor Detection Guidance: Cross-reference telemetry with Microsoft Incident Response guidelines for Storm-2603 tracking, keeping an active lookup for unauthorized local tool installations or atypical data staging directories.

 

Monitoring gap

At publication time, publicly available detection content specific to this vulnerability remains limited. Organisations should compensate by increasing telemetry collection around SharePoint servers, privileged authentication, IIS activity and post-authentication process execution until broader community detection content becomes available.

 

Hackerstorm Analysis

This week's KEV update reinforces a pattern that has become increasingly common throughout 2026: attackers continue to prioritise enterprise collaboration platforms that provide direct access to high-value business data while requiring only limited user privileges for successful exploitation. SharePoint's position within many organisations makes even authenticated vulnerabilities strategically valuable, particularly where identity compromise has already occurred through phishing, credential theft or token abuse.

 

Security teams frequently prioritise vulnerabilities using severity alone, yet this week's addition demonstrates why confirmed exploitation should outweigh static scoring. KEV inclusion reflects observed attacker behaviour rather than theoretical risk. Organisations that integrate KEV intelligence with exposure management, identity risk and asset criticality will consistently reduce operational risk more effectively than programmes driven solely by monthly patch cycles.

 

Further Reading

 

🔗 Exposure-Based Vulnerability Prioritization: EPSS, KEV & Risk
Why read this: Integrate EPSS scoring with KEV intelligence for exposure-driven remediation decisions.
https://www.hackerstorm.com/articles/our-blog/vulnerability-intelligence-analysis/vulnerability-management-operational-risk-exposure-prioritization

 

🔗 CVE Overload: Why Most Patch Programs Fail
Why read this: Identify systemic vulnerabilities in traditional patching workflows.
https://www.hackerstorm.com/articles/our-blog/vulnerabililty-intelligence/why-most-patch-programs-fail

 

🔗 CVSS vs EPSS: How to Prioritise Vulnerabilities by Real Exploitation Risk
Why read this: Replace static severity scoring with probability-based threat modeling.
https://www.hackerstorm.com/articles/our-blog/vulnerability-intelligence-analysis/cvss-vs-epss-vulnerability-prioritisation-exploitation-risk

 

 

 

 


About This Report

 

Attribution Note

This analysis is based on publicly available reporting and security research summaries. Some technical details may change as additional information becomes available. 

 

Author Information

Timur Mehmet | Founder & Lead Editor

Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy. Professional qualifications over the years have included CISSP, ISO27000 Auditor, ITIL and technologies such as Networking, Operating Systems, PKI, Firewalls. For more information including independent citations and credentials, visit our About page.

Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

 

Editorial Standards

This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:

  • Fact-Checking: All statistics and claims are verified against primary sources and authoritative reports
  • Source Transparency: Original research sources and citations are provided in the References section below
  • No Conflicts of Interest: This analysis is independent and not sponsored by any vendor or organization
  • Corrections Policy: We correct errors promptly and transparently. Report inaccuracies to This email address is being protected from spambots. You need JavaScript enabled to view it.

Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections


Learn More: About Hackerstorm.com | FAQs

 

Source Transparency

 

CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

 

NVD Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-45659

→ CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

→ NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2026-45659

→ Microsoft Security Response Center (MSRC) Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659

→ Cyber Threat Intelligence Feed: Storm-2603 Threat Profiling

→ Threat Intelligence Source: CISA KEV Catalog Monitoring Operational Feed

 

 

By using this site, you agree to our Terms & Conditions.

COOKIE / PRIVACY POLICY: This website uses essential cookies required for basic site functionality. We also use analytics cookies to understand how the website is used. We do not use cookies for marketing or personalization, and we do not sell or share any personal data with third parties.

Terms & Privacy Policy