Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation
SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation
NEWS

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation

CISA has added a high-severity Microsoft SharePoint Server remote code execution vulnerability to its Known Exploited Vulnerabilities catalog following...

Dylan H.

News Desk

July 2, 2026
5 min read

CISA Issues KEV Alert for SharePoint RCE

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-45659 — a high-severity remote code execution vulnerability in Microsoft SharePoint Server — to its Known Exploited Vulnerabilities (KEV) catalog. The addition follows confirmed evidence of active exploitation in the wild.

Federal agencies under CISA's authority are required to remediate KEV-listed vulnerabilities within mandated timeframes. All organizations running SharePoint Server should treat this as a critical patching priority.

AttributeValue
CVE IDCVE-2026-45659
CVSS v3.1 Score8.8 (High)
Vulnerability TypeRemote Code Execution
ProductMicrosoft SharePoint Server
Exploitation StatusActively exploited in the wild
CISA KEV AddedJuly 2026
Federal Patch DeadlinePer BOD 22-01 guidelines

Vulnerability Overview

CVE-2026-45659 is a remote code execution vulnerability in Microsoft SharePoint Server. The flaw allows an authenticated attacker — one who has obtained at minimum Site Member-level permissions — to execute arbitrary code on the underlying server.

SharePoint's CVSS 8.8 score reflects:

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low (authenticated user sufficient)
  • User Interaction: None
  • Scope: Changed (code execution on server, not just user context)

The authentication requirement lowers the barrier compared to unauthenticated flaws, but in practice, credentials are routinely obtained through phishing, credential stuffing, or prior breaches — making "requires authentication" a weak mitigating factor for many organizations.


Active Exploitation Confirmed

CISA's KEV addition confirms that threat actors are actively exploiting CVE-2026-45659 in real-world attacks. SharePoint Server is a high-value target due to:

  • Wide enterprise deployment — tens of thousands of organizations run on-premises SharePoint
  • Sensitive data concentration — SharePoint often hosts internal documents, HR data, legal files, and executive communications
  • Network positioning — SharePoint servers typically sit on internal networks with broad access to other systems
  • Credential harvesting opportunity — compromise of SharePoint can expose Active Directory–integrated credentials

Ransomware groups, nation-state actors, and financial threat actors have all historically targeted SharePoint vulnerabilities as initial access vectors.


Affected Products

Microsoft SharePoint Server is affected across versions. Check your deployment:

# Check SharePoint build version
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
(Get-SPFarm).BuildVersion

Consult the Microsoft Security Response Center advisory for the complete list of affected builds and corresponding KB articles.


Immediate Remediation Steps

1. Apply Microsoft Security Updates

Microsoft has released patches addressing CVE-2026-45659. Apply through:

Windows Update / WSUS:

# Force Windows Update check (run on SharePoint server)
Install-Module PSWindowsUpdate -Force
Get-WindowsUpdate -AcceptAll -Install -AutoReboot

Manual deployment:

  • Download the relevant Cumulative Update from the Microsoft Update Catalog
  • Apply to all SharePoint servers in the farm (front-end, application, batch, and search roles)
  • Run the SharePoint Products Configuration Wizard after patching

2. Prioritize Internet-Facing SharePoint

If your SharePoint environment is accessible from the internet (directly or via reverse proxy):

# Check for internet-facing alternate access mappings
Get-SPAlternateURL | Where-Object {$_.Zone -eq "Internet" -or $_.Zone -eq "Extranet"}

Consider temporarily restricting internet access until the patch is applied.

3. Review SharePoint Access Logs

# Enable verbose ULS logging if not already active
Set-SPLogLevel -TraceSeverity Verbose -EventSeverity Verbose
 
# Review for anomalous POST requests to /_api/ or /_vti_bin/ endpoints
Get-SPLogEvent -StartTime (Get-Date).AddDays(-7) | 
  Where-Object {$_.Message -like "*POST*" -and $_.Message -like "*/_api/*"}

4. Enforce Least Privilege

Audit SharePoint permissions to ensure users have the minimum access necessary:

# List all users with Contribute or higher permissions
$web = Get-SPWeb "https://sharepoint.yourdomain.com"
$web.AllUsers | Where-Object {
  $web.Permissions | Where-Object {$_.Member.LoginName -eq $_.LoginName -and $_.PermissionMask -gt 1}
}

Detection Indicators

Monitor for these exploitation indicators:

  • Unusual outbound network connections originating from w3wp.exe (SharePoint IIS worker process)
  • New processes spawned by w3wp.exe (e.g., cmd.exe, powershell.exe, certutil.exe)
  • Unexpected files created in SharePoint hive directories (C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\)
  • POST requests to SharePoint API endpoints (/_api/web/, /_vti_bin/) with anomalous payloads
  • SharePoint security event log entries with error codes 401/403 followed immediately by successful 200 responses

SIEM query example (Splunk):

index=windows source="WinEventLog:Security" EventCode=4688
  ParentImage="*w3wp.exe*" 
  (Image="*cmd.exe*" OR Image="*powershell.exe*" OR Image="*certutil.exe*")
| table _time, ComputerName, Image, CommandLine

CISA Binding Operational Directive Context

Under BOD 22-01, all U.S. federal civilian executive branch (FCEB) agencies must remediate KEV-listed vulnerabilities by the date specified in the catalog. For CVE-2026-45659, the typical remediation window is 21 days from KEV listing for high-severity actively exploited vulnerabilities.

Non-federal organizations should treat KEV listings as authoritative signals of real-world risk and prioritize patching accordingly.


Sources

  • The Hacker News — SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation
  • CISA Known Exploited Vulnerabilities Catalog
  • Microsoft Security Response Center

Related Reading

  • CISA Orders Feds to Patch Actively Exploited Citrix Flaw
  • Critical Citrix NetScaler Memory Flaw Actively Exploited
  • F5 BIG-IP Vulnerability Reclassified as RCE Under Exploitation
#Vulnerability#CVE#Microsoft#SharePoint#RCE#CISA KEV#Active Exploitation#Patch Now

Related Articles

Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across

Microsoft has released updates fixing CVE-2026-45659, a CVSS 8.8 remote code execution vulnerability in SharePoint Server that requires no specialized.

3 min read

Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts

A critical pre-authentication remote code execution flaw in Progress Kemp LoadMaster (CVE-2026-8037, CVSS 9.6) is under active exploitation attempts,...

3 min read

Hackers Now Exploit Critical F5 BIG-IP Flaw in Attacks

F5 has reclassified a BIG-IP APM vulnerability from denial-of-service to critical remote code execution, warning that attackers are actively exploiting...

6 min read
Back to all News