CISA Issues KEV Alert for SharePoint RCE
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-45659 — a high-severity remote code execution vulnerability in Microsoft SharePoint Server — to its Known Exploited Vulnerabilities (KEV) catalog. The addition follows confirmed evidence of active exploitation in the wild.
Federal agencies under CISA's authority are required to remediate KEV-listed vulnerabilities within mandated timeframes. All organizations running SharePoint Server should treat this as a critical patching priority.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-45659 |
| CVSS v3.1 Score | 8.8 (High) |
| Vulnerability Type | Remote Code Execution |
| Product | Microsoft SharePoint Server |
| Exploitation Status | Actively exploited in the wild |
| CISA KEV Added | July 2026 |
| Federal Patch Deadline | Per BOD 22-01 guidelines |
Vulnerability Overview
CVE-2026-45659 is a remote code execution vulnerability in Microsoft SharePoint Server. The flaw allows an authenticated attacker — one who has obtained at minimum Site Member-level permissions — to execute arbitrary code on the underlying server.
SharePoint's CVSS 8.8 score reflects:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low (authenticated user sufficient)
- User Interaction: None
- Scope: Changed (code execution on server, not just user context)
The authentication requirement lowers the barrier compared to unauthenticated flaws, but in practice, credentials are routinely obtained through phishing, credential stuffing, or prior breaches — making "requires authentication" a weak mitigating factor for many organizations.
Active Exploitation Confirmed
CISA's KEV addition confirms that threat actors are actively exploiting CVE-2026-45659 in real-world attacks. SharePoint Server is a high-value target due to:
- Wide enterprise deployment — tens of thousands of organizations run on-premises SharePoint
- Sensitive data concentration — SharePoint often hosts internal documents, HR data, legal files, and executive communications
- Network positioning — SharePoint servers typically sit on internal networks with broad access to other systems
- Credential harvesting opportunity — compromise of SharePoint can expose Active Directory–integrated credentials
Ransomware groups, nation-state actors, and financial threat actors have all historically targeted SharePoint vulnerabilities as initial access vectors.
Affected Products
Microsoft SharePoint Server is affected across versions. Check your deployment:
# Check SharePoint build version
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
(Get-SPFarm).BuildVersionConsult the Microsoft Security Response Center advisory for the complete list of affected builds and corresponding KB articles.
Immediate Remediation Steps
1. Apply Microsoft Security Updates
Microsoft has released patches addressing CVE-2026-45659. Apply through:
Windows Update / WSUS:
# Force Windows Update check (run on SharePoint server)
Install-Module PSWindowsUpdate -Force
Get-WindowsUpdate -AcceptAll -Install -AutoRebootManual deployment:
- Download the relevant Cumulative Update from the Microsoft Update Catalog
- Apply to all SharePoint servers in the farm (front-end, application, batch, and search roles)
- Run the SharePoint Products Configuration Wizard after patching
2. Prioritize Internet-Facing SharePoint
If your SharePoint environment is accessible from the internet (directly or via reverse proxy):
# Check for internet-facing alternate access mappings
Get-SPAlternateURL | Where-Object {$_.Zone -eq "Internet" -or $_.Zone -eq "Extranet"}Consider temporarily restricting internet access until the patch is applied.
3. Review SharePoint Access Logs
# Enable verbose ULS logging if not already active
Set-SPLogLevel -TraceSeverity Verbose -EventSeverity Verbose
# Review for anomalous POST requests to /_api/ or /_vti_bin/ endpoints
Get-SPLogEvent -StartTime (Get-Date).AddDays(-7) |
Where-Object {$_.Message -like "*POST*" -and $_.Message -like "*/_api/*"}4. Enforce Least Privilege
Audit SharePoint permissions to ensure users have the minimum access necessary:
# List all users with Contribute or higher permissions
$web = Get-SPWeb "https://sharepoint.yourdomain.com"
$web.AllUsers | Where-Object {
$web.Permissions | Where-Object {$_.Member.LoginName -eq $_.LoginName -and $_.PermissionMask -gt 1}
}Detection Indicators
Monitor for these exploitation indicators:
- Unusual outbound network connections originating from
w3wp.exe(SharePoint IIS worker process) - New processes spawned by
w3wp.exe(e.g.,cmd.exe,powershell.exe,certutil.exe) - Unexpected files created in SharePoint hive directories (
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\) - POST requests to SharePoint API endpoints (
/_api/web/,/_vti_bin/) with anomalous payloads - SharePoint security event log entries with error codes 401/403 followed immediately by successful 200 responses
SIEM query example (Splunk):
index=windows source="WinEventLog:Security" EventCode=4688
ParentImage="*w3wp.exe*"
(Image="*cmd.exe*" OR Image="*powershell.exe*" OR Image="*certutil.exe*")
| table _time, ComputerName, Image, CommandLine
CISA Binding Operational Directive Context
Under BOD 22-01, all U.S. federal civilian executive branch (FCEB) agencies must remediate KEV-listed vulnerabilities by the date specified in the catalog. For CVE-2026-45659, the typical remediation window is 21 days from KEV listing for high-severity actively exploited vulnerabilities.
Non-federal organizations should treat KEV listings as authoritative signals of real-world risk and prioritize patching accordingly.
Sources
- The Hacker News — SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation
- CISA Known Exploited Vulnerabilities Catalog
- Microsoft Security Response Center