Microsoft SharePoint Flaw CVE-2026-45659 Added to CISA’s KEV Catalog
The Cybersecurity and Infrastructure Security Agency has added a newly identified vulnerability in Microsoft SharePoint Server, tracked as CVE-2026-45659, to its Known Exploited Vulnerabilities Catalog.
The addition confirms active exploitation in the wild, signaling heightened risk for enterprises running on-premises SharePoint deployments and underscoring the urgency for immediate remediation across affected environments.
Vulnerability Details
CVE-2026-45659 falls under CWE-502, Deserialization of Untrusted Data, a flaw class that allows an authenticated attacker to execute arbitrary code over the network.
CISA reports that the vulnerability stems from improper handling of serialized objects in SharePoint Server, enabling attackers with valid credentials to inject malicious payloads during deserialization.
Successful exploitation can lead to remote code execution, enabling attackers to manipulate SharePoint content, move laterally across connected network segments, and establish a persistent foothold within compromised environments.
While no public evidence currently ties this vulnerability to ransomware operations, its inclusion in the KEV catalog confirms that exploitation is actively occurring against real-world targets.
CISA officially added CVE-2026-45659 to the KEV catalog on July 1, 2026, setting a remediation deadline of July 4, 2026, under Binding Operational Directive 26-04.
This directive requires federal civilian executive branch agencies to remediate cataloged vulnerabilities within strict, risk-based timeframes.
Organizations are urged to implement vendor-provided mitigations immediately and align with CISA’s Forensics Triage Guidelines, which support incident response and post-compromise analysis when exploitation is suspected in an affected environment.
Security researchers consistently flag deserialization vulnerabilities as a persistent and damaging attack vector, particularly in enterprise collaboration platforms like SharePoint, which store sensitive business data and integrate closely with identity infrastructure.
Attackers typically exploit these weaknesses by crafting specially constructed serialized objects that trigger unintended code execution paths when the application processes them.
Because exploiting this vulnerability requires authenticated access, threat actors likely combine it with credential theft, phishing campaigns, or previously compromised accounts to gain initial entry, then trigger the deserialization exploit and escalate privileges within the network.
Mitigations
CISA’s advisory urges organizations to identify all internet-facing SharePoint instances and prioritize patch deployment accordingly. Where mitigations are unavailable or cannot be applied promptly, agencies are advised to disable affected services temporarily to reduce their attack surface.
Organizations using cloud-hosted SharePoint services should follow the cloud-specific guidance outlined in BOD 26-04, ensuring vendor-side mitigations are properly verified and enforced.
Security teams are also encouraged to monitor SharePoint activity logs for anomalous behavior, review authentication logs for unauthorized access, and implement multi-factor authentication to reduce the risk of account compromise that could fuel this attack chain.
The inclusion of CVE-2026-45659 in the KEV catalog reinforces a growing trend of enterprise collaboration platforms becoming high-value targets in cyber intrusion campaigns.
SharePoint’s role as a central repository for business-critical data makes it attractive for exfiltration, lateral movement, and long-term persistence. Security teams should treat this disclosure as a call to action, prioritizing patching, strengthening access controls, and conducting proactive threat hunting against evolving exploitation techniques.
No Comment! Be the first one.