SharePoint RCE Flaw CVE-2026-45659 Now in CISA KEV Catalog Amid Active Attacks
CISA has added CVE-2026-45659, a critical SharePoint Server remote code execution vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. Organizations running affected SharePoint instances face immediate risk and should prioritize patching.
TL;DR
- CVE-2026-45659 is a high-severity (CVSS 8.8) remote code execution flaw in Microsoft SharePoint Server caused by unsafe deserialization of untrusted data
- CISA added the vulnerability to its KEV catalog, confirming active exploitation campaigns are underway
- Enterprises must apply Microsoft patches urgently to prevent unauthorized code execution and potential lateral movement
- The vulnerability affects on-premises SharePoint deployments; cloud-hosted instances may have different exposure profiles
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog, signaling that threat actors are actively exploiting this flaw in the wild. The vulnerability, which carries a CVSS score of 8.8, affects Microsoft SharePoint Server and allows unauthenticated remote code execution through improper handling of serialized objects.
The root cause stems from unsafe deserialization of untrusted data within SharePoint's processing logic. Attackers can craft malicious payloads that, when processed by a vulnerable server, execute arbitrary code with the privileges of the SharePoint application pool identity. This level of access enables attackers to compromise sensitive data, install backdoors, and pivot to other systems on the network.
With CISA's KEV listing, this vulnerability has moved from theoretical risk to confirmed active threat. Organizations running on-premises SharePoint deployments must treat patching as an emergency priority to prevent breach and lateral movement within their infrastructure.
Vulnerability Details and Attack Vector
- CVE-2026-45659 is a deserialization flaw allowing remote code execution without authentication
- CVSS score of 8.8 reflects high severity and ease of exploitation
- Affects Microsoft SharePoint Server on-premises installations
- Attackers can execute arbitrary code in the context of the SharePoint application pool
- No user interaction or special privileges required to trigger the vulnerability
CISA KEV Listing and Active Exploitation
- CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog after confirming active attacks
- Threat actors are actively weaponizing the flaw in targeted campaigns
- Organizations should assume their SharePoint instances are being scanned and probed by malicious actors
- KEV listing elevates the vulnerability's priority for federal agencies and critical infrastructure operators
Recommended Mitigation Actions
- Apply Microsoft security patches immediately to all affected SharePoint Server instances
- Audit SharePoint access logs for signs of exploitation attempts or suspicious deserialization activity
- Implement network segmentation to limit SharePoint exposure and restrict lateral movement
- Monitor for unusual process execution or outbound connections from SharePoint application pools
- Consider disabling or restricting access to SharePoint if patching cannot be completed urgently
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.