Active Exploitation Alert: Critical Microsoft SharePoint Server RCE Vulnerability CVE-2026-45659 Added to CISA KEV Catalog

Active Exploitation Alert: Critical Microsoft SharePoint Server RCE Vulnerability CVE-2026-45659 Added to CISA KEV Catalog

Executive Summary

CVE-2026-45659 is a critical remote code execution (RCE) vulnerability affecting Microsoft SharePoint Server. This flaw, rooted in the deserialization of untrusted data, enables authenticated attackers to execute arbitrary code on vulnerable servers. Following confirmed active exploitation, the vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its severity and the urgency for immediate remediation. Organizations utilizing affected versions of SharePoint are at significant risk of compromise, including potential lateral movement, data exfiltration, and ransomware deployment. This advisory provides a comprehensive technical analysis, threat actor insights, exploitation details, victimology, and actionable mitigation strategies.

Threat Actor Profile

The exploitation of CVE-2026-45659 has been observed in campaigns attributed to sophisticated financially motivated and ransomware groups. Notably, activity linked to the Storm-2603 group, which has a history of leveraging SharePoint vulnerabilities for initial access, has been documented. These actors are characterized by their rapid weaponization of newly disclosed vulnerabilities, use of legitimate remote administration tools for persistence, and advanced defense evasion techniques. Their operations often involve the deployment of custom malware, privilege escalation, and the disabling of endpoint security controls. The threat landscape is further complicated by overlapping campaigns from multiple actors, making attribution and response more challenging.

Technical Analysis of Malware/TTPs

CVE-2026-45659 is classified under CWE-502: Deserialization of Untrusted Data. The vulnerability exists due to improper handling of serialized objects within Microsoft SharePoint Server. An authenticated attacker with at least Site Member permissions can exploit this flaw by sending crafted requests containing malicious serialized payloads. Upon deserialization, arbitrary code is executed in the context of the SharePoint service, granting the attacker control over the server.

The attack chain typically begins with credential compromise or abuse of legitimate access. Once authenticated, the attacker delivers the exploit payload over the network, triggering remote code execution. Post-exploitation activities observed in the wild include the deployment of tools such as Velociraptor, Cloudflare Tunnels, Zoho Assist, and SSH via Visual Studio Code for persistence and lateral movement. Privilege escalation is achieved through the creation of new local or domain administrator accounts and exploitation of vulnerable drivers like NSecKrnl.sys to disable security solutions. Defense evasion techniques such as DLL side-loading and custom backdoor deployment have also been reported.

MITRE ATT&CK techniques mapped to these campaigns include T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1059 (Command and Scripting Interpreter), T1219 (Remote Access Software), and T1070 (Indicator Removal on Host).

Exploitation in the Wild

Active exploitation of CVE-2026-45659 was confirmed by CISA and multiple security vendors in early July 2026. The vulnerability was rapidly added to the CISA KEV catalog, signaling widespread exploitation and a high risk to unpatched systems. Reports from The Hacker News, Reddit, and other open sources indicate that attackers are leveraging this vulnerability for initial access, followed by the deployment of ransomware and other malicious payloads.

Incident response investigations have revealed that attackers often chain this vulnerability with other techniques to maximize impact. For example, after gaining access via SharePoint, adversaries have been observed moving laterally to other network segments, establishing persistence through legitimate remote access tools, and escalating privileges to domain administrator. The use of living-off-the-land binaries and legitimate IT tools complicates detection and response efforts.

No public proof-of-concept (PoC) exploit has been released as of this writing, but private exploit code is being actively used by threat actors. Security researchers continue to monitor for the emergence of public PoCs, which could further accelerate exploitation.

Victimology and Targeting

Victims of CVE-2026-45659 exploitation span a wide range of sectors, including government, healthcare, finance, education, and critical infrastructure. The common denominator among victims is the presence of unpatched or outdated SharePoint Server instances exposed to the internet or accessible to compromised internal accounts. Attackers do not require administrative privileges to exploit the vulnerability, significantly broadening the attack surface.

Geographically, exploitation has been observed globally, with no specific targeting of countries or regions. However, organizations with large, distributed SharePoint deployments and those lacking robust patch management processes are at heightened risk. The opportunistic nature of the attacks suggests that any vulnerable instance is a potential target, regardless of industry or size.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by CVE-2026-45659. Organizations must apply the latest security updates from Microsoft for all affected SharePoint Server versions, including SharePoint Enterprise Server 2016 (versions prior to 16.0.5552.1002), SharePoint Server 2019 (versions prior to 16.0.10417.20128), and SharePoint Server Subscription Edition (versions prior to 16.0.19725.20280).

In addition to patching, organizations should conduct a thorough audit of SharePoint user accounts and permissions, focusing on users with Site Member or higher access. Monitoring for indicators of compromise is critical; this includes detecting the use of remote access tools, the creation of new administrator accounts, and unusual network traffic originating from SharePoint servers.

Incident response teams should follow CISA’s Forensics Triage Requirements and prioritize containment, eradication, and recovery if compromise is suspected. Enhanced logging, network segmentation, and the implementation of least privilege principles can further reduce the attack surface. Regular security awareness training and phishing simulations can help prevent initial credential compromise.

References

NVD - CVE-2026-45659: https://nvd.nist.gov/vuln/detail/CVE-2026-45659 Microsoft Security Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659 CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45659 The Hacker News Article: https://thehackernews.com/2026/07/sharepoint-rce-cve-2026-45659-added-to.html Reddit Community Alert: https://www.reddit.com/r/u_socradario/comments/1ulg36h/heads_up_sharepoint_rce_cve202645659_just_hit/ CISA Forensics Triage Requirements: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45659

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, prioritize remediation, and enhance overall cyber resilience. For more information about our solutions or to discuss your organization’s security needs, we are happy to answer questions at info@rescana.com.