On 1 July 2026, CISA added CVE-2026-45659, a remote code execution flaw in on-premises Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalogue, citing active exploitation and setting a 4 July 2026 remediation due date for US federal civilian agencies. Microsoft had fixed the issue in its May 2026 security update and originally assessed exploitation as "Exploitation Less Likely." The KEV listing changes the operational priority: what looked like a routine May patch item is now an actively exploited SharePoint Server vulnerability. The flaw is scored CVSS 8.8 (High) and requires authentication with low privileges, not anonymous internet access.

What the flaw is

CVE-2026-45659 is a deserialisation-of-untrusted-data vulnerability, classified as CWE-502, in on-premises SharePoint Server. In outline, the server can be coerced into taking attacker-controlled serialised data and rebuilding it into objects without properly validating what those objects are, which can result in code execution on the server under the web application's process identity. NVD scores it 8.8 (High) with a network attack vector, low attack complexity, low privileges required and no user interaction. The specific vulnerable component, the object-handling chain that makes exploitation work, and the payload mechanics have not been publicly detailed, and this advisory does not reproduce them; the operational point for defenders is the outcome — server-side code execution — not a recipe.

It affects the supported on-premises editions that received the May 2026 update: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. This is an on-premises Server issue, and the fix is the relevant May 2026 security update.

The access bar is low, but not zero

The most important qualifier is the privilege requirement. This is not a pre-authentication bug: an attacker needs valid credentials. But the bar those credentials have to clear is low. Microsoft's advisory and secondary reporting describe the requirement as Site Member-level access, with no elevated administrative privileges needed, and Microsoft characterised the flaw as easy to exploit in the sense that an attacker does not need significant prior knowledge of the system to get repeatable results. Site Member is a standard contributor role that is often widely granted in enterprise SharePoint farms.

That is what makes the flaw relevant beyond administrators. Stolen, reused or over-permissioned low-privilege accounts become part of the threat model: a single such account — obtained through phishing, credential reuse, a guest invitation, or an over-permissioned partner — can be turned into code execution on a server that typically holds sensitive documents and sits at the centre of an organisation's collaboration and document-management environment. The attack vector is network-based, so exploitation can come from inside the corporate network or from an internet-exposed SharePoint front end, which makes externally reachable farms the priority. What it is not, by the published scoring, is an anonymous internet worm — the authentication requirement is a real brake on mass, unauthenticated exploitation.

When a low exploitability rating meets the KEV catalogue

The gap between Microsoft's original assessment and CISA's action is the story's throughline. Microsoft's advisory rated exploitation as less likely, a judgement that looked reasonable for an authenticated, post-patch deserialisation bug. CISA's KEV addition on 1 July, based on evidence of active exploitation, directly overrides that assessment — and it is a reminder that a CVSS number and a vendor exploitability rating describe potential, while a KEV listing describes reality. CISA has not disclosed how the vulnerability is being exploited, who is behind it, or what the end goals are, and no proof-of-concept has been published.

Two points of context are worth stating carefully, because it is easy to over-read them. First, SharePoint has been a recurring target: Microsoft patched a SharePoint zero-day in April 2026, and CISA warned of another SharePoint flaw being exploited in March. Second, some coverage has connected this flaw to Storm-2603, a threat actor Microsoft has tied to Warlock ransomware deployed against on-premises SharePoint. That association describes the kind of adversary that targets on-premises SharePoint generally; it is not a confirmed attribution for CVE-2026-45659 specifically, which CISA has left unattributed. The other detail that matters operationally is time: roughly 52 days passed between the mid-May fix and the July KEV listing, a long window in which unpatched, exposed servers were available to anyone who found the flaw first.

What to do

Because a patch already exists, remediation is about coverage, exposure and compromise review. First, verify that the May 2026 SharePoint security update is applied across every server in the farm. A single unpatched SharePoint server can undermine the farm's overall posture, so confirm build levels across front-end, application and other SharePoint roles rather than checking only the primary server. With CISA's 4 July due date and evidence of exploitation, treat this as an emergency change rather than routine patching.

  • Audit low-privilege access. Review who holds Site Member or higher roles across your sites, and pay particular attention to external or guest users granted Site Member — revoke or restrict what is not needed. The exploit's value to an attacker is exactly the low-privilege foothold, so shrinking that surface matters.

  • Reduce exposure. Where a SharePoint front end does not need to be reachable from the public internet, restrict it to trusted networks for the duration, and prioritise any internet-facing farm.

  • Hunt for post-authentication anomalies. Review SharePoint authentication activity, newly created or modified site members, unexpected application-pool or web-service behaviour, suspicious child processes spawned by SharePoint worker processes, unusual uploads or scripted requests to SharePoint endpoints, recent permission changes, and unexpected outbound connections from SharePoint servers. Because the initial access here is a legitimate-looking low-privilege login, behavioural review matters more than signature-based detection.

  • Use the authoritative sources for live indicators. Follow CISA's KEV entry and Microsoft's advisory for current guidance rather than second-hand indicator lists.

Key Takeaways

  • CVE-2026-45659 (CVSS 8.8, CWE-502) is a deserialisation-of-untrusted-data remote code execution flaw in on-premises Microsoft SharePoint Server (Subscription Edition, 2019, Enterprise Server 2016), fixed in Microsoft's May 2026 security update.

  • CISA added it to the KEV catalogue on 1 July 2026 citing active exploitation, with a 4 July federal remediation due date — overriding Microsoft's original "Exploitation Less Likely" rating.

  • It requires authentication but only low-privilege Site Member access — a standard contributor role often widely granted in enterprise farms — so a single low-privilege account can be turned into server-side code execution; it is network-based but not a pre-auth internet worm.

  • The exploiter and technique are unattributed by CISA (Storm-2603/Warlock is context about on-premises SharePoint threats, not a confirmed link to this CVE). Response: verify the May update across the whole farm as an emergency change, audit and tighten Site Member/guest access, reduce internet exposure, and hunt for post-authentication anomalies; don't wait for a public proof-of-concept.