Audience: Vulnerability Managers, Security Operations, CISOs, DevSecOps Teams
Reading Time: Approximately 15 minutes
| CVE ID | Vendor / Product | CVSS | Date Added | CISA Due Date | Exploitation Type | EPSS | Reachability |
| CVE-2026-45659 | Microsoft SharePoint Server | 8.8 (High) | 1 July 2026 | 4 July 2026 | Remote Code Execution (Authenticated) | 2.78% | Network (AV:N; Requires Site Member Permissions) |
A deserialization vulnerability that enables an authenticated attacker with low-level SharePoint permissions to execute arbitrary code remotely on vulnerable SharePoint servers.
Affected products include:
→ Microsoft SharePoint Server 2016
→ Microsoft SharePoint Server 2019
→ Microsoft SharePoint Server Subscription Edition before version 16.0.19725.20280
Microsoft has published updated build versions through the Microsoft Security Response Center (MSRC).
Active exploitation confirmed.
CISA added the vulnerability to the Known Exploited Vulnerabilities Catalog on 1 July 2026 following confirmation that exploitation has been observed in the wild. One critical administrative caveat is that Microsoft inadvertently omitted CVE-2026-45659 from its initial May 2026 Patch Tuesday release logs and only updated the advisory on May 27. This visibility gap left many defenders unaware of the underlying risk, enabling a longer window of exploit development.
Yes.
Microsoft addressed the vulnerability through the May 2026 SharePoint security updates.
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659
4 July 2026.
Note: This deadline applies to U.S. Federal Civilian Executive Branch agencies. All organisations should treat the KEV inclusion as an operational priority regardless of regulatory obligations.
SharePoint remains a widely deployed collaboration platform that frequently stores sensitive business documents and integrates with enterprise identity infrastructure. Because exploitation requires only authenticated low-privilege access (the standard Site Member contributor role), organisations should not assume external perimeter controls alone provide adequate protection. Internet-facing deployments, third-party access, compromised user accounts and insider abuse scenarios all increase exposure, making this a higher operational priority than its CVSS score alone may suggest.
This week's KEV activity highlights persistent threat actor interest in core on-premises data silos. Threat intelligence indicates that sophisticated, financially motivated operators and ransomware groups—such as Storm-2603—regularly weaponize SharePoint vulnerabilities to obtain immediate network staging points and deploy extortion campaigns.
For defenders, the absence of broader campaign telemetry across certain sectors should not reduce remediation urgency. The prerequisite for this exploit is simply valid low-privilege credentials; consequently, any employee credentials active on infostealer marketplaces present a direct compromise pathway.
| Priority | CVE | Recommended Action | Timeline |
| Critical | CVE-2026-45659 | Patch SharePoint servers immediately, verify internet exposure, validate successful update installation, review authentication activity, and investigate for signs of compromise. | Immediate |
→ Microsoft SharePoint ULS Logs
→ Windows Event Logs
→ IIS Logs
→ Microsoft Defender for Endpoint
→ Microsoft Defender for Identity
→ Microsoft Sentinel
→ Active Directory Authentication Logs
→ Windows Security Event ID 4688: Track anomalous child processes executing underneath the w3wp.exe or OWSTIMER.EXE binaries. Look explicitly for cmd.exe, powershell.exe, or runtime compilation tools like csc.exe.
→ Windows Security Event ID 4624: Audit spikes in successful, low-privileged user authentications immediately preceding anomalous application modifications or heavy document directory access.
→ Unusual SharePoint application behavior
→ Unexpected child processes spawned by IIS worker processes
→ Suspicious PowerShell execution originating from SharePoint service groups
→ Authentication from unusual geographic locations followed by SharePoint administrative activity
→ Unexpected outbound network connections initiated by SharePoint servers
→ Review recent authentication activity involving low-privileged SharePoint accounts to look for signs of credential theft.
→ Search for unusual process execution originating from SharePoint application pools.
→ Investigate newly created scheduled tasks, modification of system components, or persistence mechanisms within the web root.
→ Examine SharePoint servers for abnormal outbound communications or unauthorized remote management installations.
→ Sigma Rules: Deploy standardized community rules targeting Web Server Web Shell Creation or Suspicious Child Processes of IIS (w3wp) to flag immediate code drops.
→ YARA Rules: Use logic rules optimized to scan web-facing assets (specifically the SharePoint LAYOUTS structure) for newly dropped .aspx files or web shell variants.
→ Vendor Detection Guidance: Cross-reference telemetry with Microsoft Incident Response guidelines for Storm-2603 tracking, keeping an active lookup for unauthorized local tool installations or atypical data staging directories.
At publication time, publicly available detection content specific to this vulnerability remains limited. Organisations should compensate by increasing telemetry collection around SharePoint servers, privileged authentication, IIS activity and post-authentication process execution until broader community detection content becomes available.
This week's KEV update reinforces a pattern that has become increasingly common throughout 2026: attackers continue to prioritise enterprise collaboration platforms that provide direct access to high-value business data while requiring only limited user privileges for successful exploitation. SharePoint's position within many organisations makes even authenticated vulnerabilities strategically valuable, particularly where identity compromise has already occurred through phishing, credential theft or token abuse.
Security teams frequently prioritise vulnerabilities using severity alone, yet this week's addition demonstrates why confirmed exploitation should outweigh static scoring. KEV inclusion reflects observed attacker behaviour rather than theoretical risk. Organisations that integrate KEV intelligence with exposure management, identity risk and asset criticality will consistently reduce operational risk more effectively than programmes driven solely by monthly patch cycles.
🔗 Exposure-Based Vulnerability Prioritization: EPSS, KEV & Risk
Why read this: Integrate EPSS scoring with KEV intelligence for exposure-driven remediation decisions.
https://www.hackerstorm.com/articles/our-blog/vulnerability-intelligence-analysis/vulnerability-management-operational-risk-exposure-prioritization
🔗 CVE Overload: Why Most Patch Programs Fail
Why read this: Identify systemic vulnerabilities in traditional patching workflows.
https://www.hackerstorm.com/articles/our-blog/vulnerabililty-intelligence/why-most-patch-programs-fail
🔗 CVSS vs EPSS: How to Prioritise Vulnerabilities by Real Exploitation Risk
Why read this: Replace static severity scoring with probability-based threat modeling.
https://www.hackerstorm.com/articles/our-blog/vulnerability-intelligence-analysis/cvss-vs-epss-vulnerability-prioritisation-exploitation-risk
This analysis is based on publicly available reporting and security research summaries. Some technical details may change as additional information becomes available.
Timur Mehmet | Founder & Lead Editor
Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy. Professional qualifications over the years have included CISSP, ISO27000 Auditor, ITIL and technologies such as Networking, Operating Systems, PKI, Firewalls. For more information including independent citations and credentials, visit our About page.
Contact:
This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:
Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections
Learn More: About Hackerstorm.com | FAQs
CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
NVD Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-45659
→ CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
→ NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2026-45659
→ Microsoft Security Response Center (MSRC) Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659
→ Cyber Threat Intelligence Feed: Storm-2603 Threat Profiling
→ Threat Intelligence Source: CISA KEV Catalog Monitoring Operational Feed
COOKIE / PRIVACY POLICY: This website uses essential cookies required for basic site functionality. We also use analytics cookies to understand how the website is used. We do not use cookies for marketing or personalization, and we do not sell or share any personal data with third parties.