Back to Insights
Vulnerabilities4 min read2 July 2026

CISA Adds SharePoint Deserialization Flaw CVE-2026-45659 to Known Exploited Vulnerabilities Catalog

The high-severity remote code execution bug carries a CVSS score of 8.8. Federal agencies have three weeks to patch. Private-sector defenders should move faster.

EF
Elena FischerThreat Intelligence Analyst
A close-up photograph of a server rack in a dimly lit data center, with a single warning LED glowing amber on one unit,

CISA added CVE-2026-45659, a critical Microsoft SharePoint Server deserialization vulnerability, to its Known Exploited Vulnerabilities catalog on Wednesday, confirming active exploitation in the wild.

What the Vulnerability Does

The flaw lives in SharePoint Server's handling of untrusted serialized data. An authenticated attacker who holds sufficient privileges can send a malformed request over the network and trigger remote code execution on the underlying server. No physical access required. No user interaction required beyond the attacker already holding valid credentials.

CVSS 8.8 is not the ceiling of severity — it is the floor of urgency. A score that high on a platform as widely deployed as SharePoint on-premises means the attack surface is enormous, and the cost of a successful hit is significant: full control of the server process, access to documents, credentials stored in config files, and a pivot point into broader Active Directory infrastructure.

Deserialization bugs in SharePoint are not new. They have a well-documented exploitation history. What makes this class of vulnerability particularly dangerous is how cleanly it chains with other techniques.

How Attackers Typically Chain These Flaws

Historically, operators exploiting SharePoint deserialization paths have paired them with ViewState abuse, IIS module implants, and web shell staging under directories like `_layouts` or `_vti_bin`. Earlier this year, a cluster of SharePoint bugs nicknamed ToolShell attracted exploitation from threat actors Microsoft tracks as Linen Typhoon, Violet Typhoon, and Storm-2603 — groups with China-nexus overlaps. Those actors specifically abused stolen MachineKey material to forge `__VIEWSTATE` payloads, letting them maintain persistent access even on servers that had received patches.

Defenders who patched but skipped MachineKey rotation discovered, the hard way, that patching alone was not enough.

Whether CVE-2026-45659 is being exploited by the same operational clusters is not yet confirmed. No threat intelligence vendor has published telemetry tying this CVE to a named intrusion set at the time of writing. Attribution claims circulating before that telemetry arrives should be treated as low confidence. What is confirmed is that CISA's KEV listing means real exploitation is happening somewhere, on real infrastructure, right now.

The Federal Deadline — and Why Private Sector Should Beat It

Under Binding Operational Directive 22-01, federal civilian executive branch agencies have three weeks from the KEV listing date to remediate. That deadline is a legal floor for the public sector. It should function as a ceiling for everyone else.

Three weeks is a long time for an attacker with a working exploit and a target list. The Verizon 2024 Data Breach Investigations Report found that exploitation of public-facing applications accounted for a significant share of initial access vectors in confirmed breaches, and organizations that delayed patching beyond two weeks faced materially higher breach rates. Speed is not optional here.

SharePoint Online is not affected by on-premises deserialization paths. However, organizations running hybrid configurations — where on-prem farms are federated with Entra ID or Microsoft 365 — inherit risk through the identity bridge. A compromised on-prem farm can become a launchpad into cloud resources if federation tokens are forged or service accounts are abused.

The Control That Failed: Patch Cadence and Post-Compromise Hygiene

The root failure pattern here is familiar. SharePoint Server is a complex, often under-resourced platform that many organizations treat as low-change infrastructure. Patch cycles slow down. Configuration hygiene drifts. Internet-facing deployments accumulate years of permissive egress rules and unchanged service account passwords. That environment is precisely what exploitation crews target.

The specific technical failure — deserialization of untrusted data leading to RCE — is a decades-old vulnerability class that OWASP lists in its Top 10. Microsoft has patched deserialization issues in SharePoint repeatedly. The fact that a new CVE in this class reaches a CVSS of 8.8 and achieves confirmed exploitation suggests that defenders are not treating SharePoint on-prem with the same urgency they apply to perimeter firewalls or endpoint detection. They should.

This is also where human behavior inside IT and security teams matters enormously. Awareness of the KEV catalog, understanding what "deserialization" actually means in operational terms, and knowing to rotate MachineKeys after patching — these are not purely technical skills. They require training, and teams that build structured security awareness programs are measurably faster at recognizing and responding to these signals when CISA publishes them.

What Defenders Should Do Right Now

There is no complex triage tree here. The actions are clear.

Patch every farm node. Apply the relevant Microsoft security update immediately and verify the build version on every node in the farm — not just the web front end you happen to have an RDP session into. Incomplete patching is worse than delayed patching because it creates a false sense of closure.

Rotate MachineKeys after patching. Restart IIS following the rotation. If the server was internet-facing at any point before patching, assume prior compromise and initiate an investigation before declaring victory.

Hunt for indicators of post-exploitation activity. Look for anomalous child processes spawned by `w3wp.exe`, unexpected `.aspx` files appearing under SharePoint layout directories, and outbound connections from SharePoint service accounts to infrastructure outside Microsoft's IP ranges. Web shells are quiet until they are not.

Constrain egress at the network layer. A SharePoint content server has no legitimate reason to initiate arbitrary outbound HTTPS connections to random external endpoints. If your firewall policy allows this, fix it now — not after the next incident.

Audit hybrid identity configurations. Organizations running federated on-prem and cloud environments should verify that a compromised on-prem farm cannot be used to forge tokens or escalate into cloud tenants. Review federation trust settings and conditional access policies today.

Expect Microsoft and third-party threat intelligence vendors to publish more detailed technical writeups in the coming days. When that telemetry arrives, re-evaluate your detection rules and hunting queries against it. Until then, the priority is simple: patch, rotate, hunt.

How your team can respond faster to CISA KEV alerts

  • Train IT and security staff to recognize KEV listings as immediate action triggers, not routine advisories — response time is the variable that determines outcomes.
  • Build patch verification workflows that cover every node in complex server farms, not just the most accessible systems.
  • Establish post-patch hygiene checklists — including credential rotation and threat hunting — so remediation is complete, not just nominal.

Train2Secure helps security and IT teams build the operational awareness needed to act on vulnerability intelligence before attackers capitalize on the delay.

Start free — no card required

Frequently asked questions

What is CVE-2026-45659 and why is it dangerous?

CVE-2026-45659 is a deserialization vulnerability in Microsoft SharePoint Server that allows an authenticated attacker with sufficient privileges to execute arbitrary code remotely. It carries a CVSS score of 8.8 and has been confirmed as actively exploited in the wild by CISA.

Does this vulnerability affect SharePoint Online?

No. The deserialization flaw only affects SharePoint Server on-premises deployments. However, organizations running hybrid configurations where on-prem farms are federated with Microsoft 365 or Entra ID may face indirect risk if the on-prem environment is compromised.

Why do defenders need to rotate MachineKeys after patching SharePoint?

Prior SharePoint exploitation campaigns — including those linked to the ToolShell activity cluster — used stolen MachineKey material to forge ViewState payloads and maintain persistent access even after patches were applied. Rotating MachineKeys and restarting IIS cuts off that persistence mechanism.

What is the patch deadline for federal agencies?

Under CISA Binding Operational Directive 22-01, federal civilian executive branch agencies must remediate KEV-listed vulnerabilities within three weeks of the catalog listing date. Private-sector organizations should treat this as a maximum, not a target, given active exploitation.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress