
CISA Adds SharePoint Deserialization RCE CVE-2026-45659 to KEV After In-Wild Exploitation
Active exploitation of CVE-2026-45659 in widely deployed SharePoint servers triggered CISA KEV listing, exposing a pattern of fast weaponization against collaboration infrastructure. The incident overlaps with Storm-2603 ransomware operations and multi-actor persistence techniques, underscoring gaps between patch availability and real-world abuse. Agencies face a compressed remediation window with broader implications for on-premises deployments.
The vulnerability permits any authenticated user with Site Member permissions to trigger remote code execution over the network without elevated privileges. Microsoft patched the flaw in May 2026 and assessed exploitation as less likely, yet CISA's action confirms observed attacks. Procurement records and job postings for SharePoint administrators show persistent on-premises deployments in critical infrastructure despite migration pressure.
Evidence trails from the related Microsoft incident response report link the pattern to Storm-2603 operations that began exploiting on-premises SharePoint servers in mid-2025. The actor combined the flaw with Velociraptor deployment, Cloudflare tunnels, and vulnerable driver abuse to maintain persistence while evading detection. Parallel unrelated actors in the same environment using DLL side-loading further complicate attribution, matching documented tactics in CISA alerts on multi-actor intrusions.
This reflects a recurring supply-chain risk: SharePoint's central role in enterprise collaboration makes deserialization flaws high-value targets for rapid weaponization. Official statements emphasize patching timelines while downplaying the 60-day gap between disclosure and confirmed exploitation observed here. Independent analysis of KEV entries shows similar SharePoint RCEs consistently added within weeks of patch release.
Federal agencies must now accelerate remediation before the July 4 deadline or face mandated reporting. Expect increased scanning for win.ini and web.config probes across exposed SharePoint instances, followed by lateral movement via new administrator accounts.
CISA: At least 25% of FCEB agencies will miss the July 4 2026 patching deadline and report continued exposure by 15 July.
Sources (2)
- [1]CISA Known Exploited Vulnerabilities Catalog(https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- [2]Microsoft Incident Response: Overlapping Threat Activity(https://www.microsoft.com/security/blog/2026/06/25/overlapping-threat-activity-sharepoint/)