Bg ShapeBg Shape
THREAT INTELLIGENCE

Microsoft SharePoint Server Vulnerability Actively Exploited

Affected Environment

Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. On-premises deployments are at risk; Microsoft 365 SharePoint Online is not affected.

Threat Overview

A high-severity remote code execution vulnerability in Microsoft SharePoint Server is being actively exploited in the wild. Tracked as CVE-2026-45659, the flaw stems from deserialization of untrusted data. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, and Federal Civilian Executive Branch agencies were required to apply fixes by 4 July 2026.

Exposure Timeline

Patched by Microsoft in May 2026 Patch Tuesday. Added to CISA KEV catalog 1 July 2026. Active exploitation confirmed in the wild; exact threat actor attribution and end goals are currently unknown. Microsoft has simultaneously disclosed two unrelated threat actors operating concurrently within the same compromised network environment, demonstrating the risk of delayed patching.

Attack Surface

Any authenticated user with a minimum of Site Member permissions on an on-premises SharePoint Server deployment. No administrative privileges are required, significantly broadening the potential attacker pool to any user with basic SharePoint access.

Technical Root Cause

CVE-2026-45659 (CVSS 8.8) - SharePoint Server contains a deserialization of untrusted data vulnerability. In a network-based attack, an authenticated attacker with Site Member permissions (PR:L) can leverage this to execute arbitrary code remotely on the SharePoint Server. Admin or elevated privileges are not required to trigger the vulnerability.

Exploitation Pathway

An authenticated attacker with minimum Site Member access sends a crafted network request to the SharePoint Server, exploiting the insecure deserialization to achieve remote code execution. Once initial access is established, observed post-exploitation activity has included deployment of remote access tooling, credential dumping, lateral movement, and ransomware staging.

Operational Impact

Successful exploitation allows full remote code execution on the SharePoint Server. Microsoft has documented concurrent attack activity where Storm-2603 deployed Warlock ransomware following SharePoint exploitation, using tools including Velociraptor, Cloudflare tunnelling, Zoho Assist, and SSH connections via Visual Studio Code. A vulnerable driver (NSecKrnl.sys) was used to tamper with endpoint security controls. A second simultaneous attacker in the same environment used DLL side-loading and custom backdoors, with lateral movement confirmed into a second organisation.

Strategic Impact

Risk is rated High across all organisation sizes in both government and commercial sectors. SharePoint Server is a core collaboration platform across enterprise and public sector environments. The low privilege requirement (Site Member) means a wide range of internal users or compromised accounts can trigger exploitation. Active exploitation confirmed; CISA KEV listing signals significant real-world risk.

Required Mitigation

Apply Microsoft's May 2026 Patch Tuesday updates immediately across all affected SharePoint Server versions. There are no available workarounds; patching is the only remediation. Prioritise testing and deployment within 24 to 48 hours given confirmed active exploitation.

Additionally: enforce the Principle of Least Privilege across all SharePoint accounts; disable or manage default vendor accounts; restrict administrator privileges to dedicated admin accounts; and conduct general computing activities from non-privileged accounts.

Incident Response Guidance

Deploy host-based intrusion detection and prevention solutions across SharePoint Server infrastructure. Monitor for suspicious process execution, unexpected file writes, unusual outbound connections, and new account creation on SharePoint hosts. Conduct user training on social engineering attacks including phishing and pre-texting. If exploitation is suspected, isolate affected systems immediately, preserve logs to an external platform, and initiate incident response procedures. Organisations without in-house SOC coverage should engage a managed detection and response provider immediately.

References

The Hacker News - SharePoint RCE CVE-2026-45659. Microsoft Security Blog - One Intrusion, Two Cyberattackers. CISA KEV Alert 2026-07-01. CVE Record: CVE-2026-45659.

Download the Full Report

Explore More of the Latest Threat Intelligence

Trusted by clients worldwide

Logo
Logo
Logo
Logo
Logo
Logo

Your 24/7 Security Partner

Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.

Awards Image
Awards Image
Awards Image
Awards Image
Awards Image
Awards Image