CISA Forces 3-Day Patch on CVE-2026-45659 After Confirming Active SharePoint RCE Exploitation
CISA’s addition of CVE-2026-45659 to the KEV catalog confirms ongoing exploitation of a low-privilege SharePoint deserialization flaw. The move highlights recurring targeting of Microsoft collaboration platforms and exposes gaps in pre-KEV detection. Federal three-day patching mandates will test enterprise change management across legacy deployments.
Microsoft issued an out-of-band patch in late May for the high-severity deserialization vulnerability that permits authenticated attackers holding only Site Member permissions to achieve remote code execution. The flaw affects core collaboration infrastructure used for document workflows and internal portals. CISA provided no indicators of compromise or attacker infrastructure details, marking the first public confirmation of in-the-wild activity.
Procurement records and prior CISA KEV entries show a recurring pattern of SharePoint targeting, with similar deserialization and elevation issues added in March and April 2024. The absence of independent technical reporting before the KEV listing suggests either limited visibility into enterprise environments or delayed disclosure by affected organizations. Microsoft’s advisory notes the attack requires no special system knowledge, lowering the barrier for both state and criminal operators.
SharePoint’s position as the default document repository in defense, finance, and critical infrastructure creates persistent exposure windows between patch release and deployment. Out-of-band updates historically correlate with observed exploitation campaigns that predate public acknowledgment by weeks. Agencies and contractors maintaining legacy 2016 instances face compressed timelines that often exceed standard change-control processes.
Unpatched servers will remain high-value targets for initial access brokers seeking to harvest credentials and internal mapping data. Organizations should prioritize inventory of exposed SharePoint farms against the KEV deadline and monitor for post-exploitation persistence mechanisms common in prior Microsoft collaboration server incidents.
CISA: At least 200 federal or contractor SharePoint instances will report exploitation attempts within 10 days of the KEV addition.
Sources (2)
- [1]CISA Known Exploited Vulnerabilities Catalog(https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- [2]Microsoft Security Update Guide(https://msrc.microsoft.com/update-guide)