Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-45659 (CVSS score: 8.8), is a case of remote code execution arising from the deserialization of untrusted data. The issue
Analysis Summary
# Vulnerability: Microsoft Sharepoint Server Remote Code Execution (Deserialization)
## CVE Details
- **CVE ID:** CVE-2026-45659
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** Microsoft SharePoint Server
- **Versions:**
- SharePoint Server Subscription Edition
- SharePoint Server 2019
- SharePoint Enterprise Server 2016
- **Configurations:** Systems where authenticated users have at least **Site Member** permissions.
## Vulnerability Description
This high-severity flaw exists within Microsoft SharePoint Server's handling of serialized data. The application fails to properly validate or sanitize untrusted input during the deserialization process. An authenticated attacker can provide specially crafted serialized data which, when processed by the server, results in the execution of arbitrary code in the context of the SharePoint service.
## Exploitation
- **Status:** **Exploited in the wild.** Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on July 1, 2026.
- **Complexity:** Low (Tagged as "Exploitation Less Likely" by Microsoft initially, but revised due to active use).
- **Attack Vector:** Network. The attacker must be authenticated but only requires minimal (Site Member) privileges.
## Impact
- **Confidentiality:** High (Complete access to server-side data)
- **Integrity:** High (Ability to modify files, web configurations, and system data)
- **Availability:** High (Potential for system takeover or service disruption)
## Remediation
### Patches
Microsoft addressed this issue in the **May 2026** security updates.
- Ensure SharePoint Server instances are updated to the latest build released after May 2026.
- **Federal agencies (FCEB):** Required by CISA to apply fixes by **July 4, 2026**.
### Workarounds
- No specific technical workarounds (such as registry edits) are provided.
- Internal mitigation involves restricting "Site Member" permissions to only trusted users to reduce the internal attack surface.
## Detection
- **Indicators of Compromise:**
- Monitor for unusual network requests targeting SharePoint endpoints from accounts with Site Member privileges.
- Check for unexpected modifications to `web.config` or administrative probing (e.g., requests for `win.ini`).
- Monitor for lateral movement tools such as *Velociraptor*, unauthorized SSH connections, or the creation of new local administrator accounts.
- **Detection methods and tools:**
- Use EDR/XDR to flag the presence of the vulnerable driver `NSecKrnl.sys` often used by threat actors (e.g., Storm-2603) to tamper with security tools.
## References
- CISA KEV Catalog: [hxxps://www.cisa[.]gov/known-exploited-vulnerabilities-catalog]
- Microsoft Security Advisory (May 2026 Patch Tuesday)
- News Source: [hxxps://thehackernews[.]com/2026/07/sharepoint-rce-cve-2026-45659-added-to.html]