CISA Adds SharePoint RCE CVE-2026-45659 to Exploited Vulnerabilities List
The U.S. Cybersecurity and Infrastructure Security Agency has added a Microsoft SharePoint Server remote code execution flaw, tracked as CVE-2026-45659, to its Known Exploited Vulnerabilities catalog...
The U.S. Cybersecurity and Infrastructure Security Agency has added a Microsoft SharePoint Server remote code execution flaw, tracked as CVE-2026-45659, to its Known Exploited Vulnerabilities catalog after confirming active abuse in the wild.
The issue carries a CVSS score of 8.8 and stems from unsafe deserialization of untrusted data. Microsoft patched the bug in May 2026 across SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. According to the vendor, an attacker with authenticated access and at least basic site member permissions can trigger the flaw to run code remotely on a vulnerable server.
CISA’s inclusion of the vulnerability means U.S. federal civilian executive branch agencies must prioritize remediation. The agency set a July 4, 2026 deadline for applying the fix. At this stage, officials have not publicly identified the actors behind the exploitation or the objectives of the campaigns.
What Microsoft has observed
The advisory follows separate Microsoft disclosures about overlapping threat activity in enterprise environments. In one case, Microsoft said a ransomware investigation uncovered two different attacker groups operating within the same network at the same time, using methods designed to maintain access and hinder detection.
One cluster was linked to Storm-2603, a group associated with Warlock ransomware. Microsoft said the activity involved suspected exploitation of a different vulnerability, along with tools and services commonly used for stealth and persistence, including Velociraptor, Cloudflare tunneling, Zoho Assist, and SSH access through Visual Studio Code. Investigators also saw attempts to raise privileges and weaken endpoint defenses.
A second, unrelated set of actors was found using DLL side-loading and custom backdoors. Microsoft later determined that the activity had spread into another organization, showing that the ransomware operation was broader than first believed.
Key takeaways for defenders
- Apply Microsoft’s SharePoint patches as soon as possible.
- Review authentication logs and remote-access activity on SharePoint servers.
- Watch for unexpected admin account creation and suspicious tunneling tools.
- Treat multiple intrusion signals as potentially related until proven otherwise.
Microsoft said the overlapping techniques complicated attribution and helped the attackers stay embedded in affected environments for longer periods.
