

Microsoft SharePoint has been added to CISA's Known Exploited Vulnerabilities catalogue with a new entry: CVE-2026-45659, a deserialization of untrusted data flaw that allows an authenticated attacker to execute code remotely over the network. The vulnerability affects Microsoft Office SharePoint and has been confirmed as actively exploited in the wild. Organisations running on-premises SharePoint deployments that have not yet applied the relevant patch are exposed to a threat that is no longer theoretical.
CISA's Known Exploited Vulnerabilities catalogue is maintained specifically for this purpose: to signal to federal agencies and the broader security community that a vulnerability has moved from disclosed to weaponised. The catalogue is not a list of vulnerabilities that might be exploited at some point. It is a list of vulnerabilities that are being exploited right now, by real threat actors, against real targets. When CISA adds a new entry, it triggers a mandatory 21-day patch deadline for US federal civilian agencies. For the private sector, it is a reliable indicator that the vulnerability should be treated as urgent regardless of the internal patch cycle.
CVE-2026-45659 is a deserialization vulnerability, a category that has produced some of the most impactful remote code execution flaws of the past decade. To understand why deserialization vulnerabilities are dangerous, it helps to understand what serialization is and what can go wrong when it runs in reverse.
Serialization is the process of converting an object in memory, with all its properties and methods, into a format that can be stored or transmitted, such as a byte stream or an XML document. Deserialization is the reverse: reading that stored or transmitted data and reconstructing the original object in memory. Applications use deserialization constantly, for caching, for inter-process communication, for processing uploaded files, and for handling data submitted through web interfaces.
The vulnerability emerges when an application deserializes data that comes from an untrusted source without first verifying that the data is safe. A carefully crafted serialized payload, one that does not represent a legitimate object but instead encodes instructions that the deserialization process will execute when it tries to reconstruct the object, can trigger arbitrary code execution at the privilege level of the process running the deserialization routine. In SharePoint's case, that process runs with substantial system privileges, which means a successful exploit gives the attacker code execution at a level that can affect the entire SharePoint installation and the underlying server.
The specific characteristic of CVE-2026-45659 that is worth noting is the authentication requirement. The advisory describes the attacker as "authorized," meaning they need valid credentials to reach the vulnerable endpoint. This is significant context. The vulnerability does not provide initial access to an unauthenticated internet attacker. It provides privilege escalation or lateral movement capability to an attacker who already has a foothold in the environment, whether through a compromised SharePoint account, a phished employee credential, or a prior intrusion into the network.
This distinction matters for prioritising the response, but it does not reduce the urgency. Authenticated SharePoint users are not rare. In organisations that use SharePoint as their primary document management and intranet platform, every employee with a computer may have a SharePoint account. The attack surface for CVE-2026-45659 is every authenticated user, not just administrators, and the confirmed exploitation in the wild means that threat actors have already found a reliable way to trigger the flaw from a position of legitimate but low-privileged access.
CVE-2026-45659 is not SharePoint's first serious vulnerability, and it will not be its last. SharePoint has been a recurring subject of high-severity disclosures for years, largely because its attack surface is substantial. It is a complex web application that handles file uploads, processes rich content, supports custom code execution through its web parts framework, and is deeply integrated with Active Directory and other Microsoft services. Each of those integration points is a potential vector for an attacker who can find a way to manipulate the data flows between them.
The ProxyShell vulnerabilities, disclosed in 2021, allowed unauthenticated remote code execution on Microsoft Exchange but shared underlying architectural characteristics with how SharePoint handles request routing and authentication pre-processing. The pattern of complex Microsoft server products producing critical RCE vulnerabilities in their request handling layers is well established, and CVE-2026-45659 continues it.
What has changed in the past two years is the speed at which vulnerabilities in this category move from disclosure to active exploitation. Where previous generations of enterprise software vulnerabilities might have given organisations weeks before the first exploitation attempts appeared in the wild, the current environment is characterised by exploitation beginning within days of a public disclosure, sometimes faster when a proof-of-concept is published or when the vulnerability is discovered independently by multiple parties. CISA's confirmation of active exploitation for CVE-2026-45659 is consistent with this pattern.
Ransomware operators and initial access brokers, the threat actors who specialise in compromising enterprise environments and selling that access to other criminal groups, monitor vulnerability disclosures closely and move quickly when a suitable target appears. SharePoint is a particularly attractive entry point for initial access brokers because a successful compromise gives them access to a platform where sensitive documents, internal communications, and integration tokens are routinely stored, all of which have value either directly or as stepping stones to deeper access.
The exposure profile for CVE-2026-45659 is concentrated in organisations running on-premises SharePoint deployments rather than Microsoft 365's SharePoint Online. Microsoft's cloud service operates on infrastructure managed and patched by Microsoft, and the company updates the service independently of the individual tenant's patch management cycle. Organisations using SharePoint Online as their primary document and intranet platform are not exposed to this vulnerability in the same way.
On-premises SharePoint deployments, by contrast, run on infrastructure that the organisation owns and manages. Patching requires deliberate action: downloading the update, testing it against the existing SharePoint configuration, and deploying it through a change management process that in many organisations takes weeks or months. This gap between disclosure and patch deployment is the window that active exploitation targets, and for vulnerabilities that require authenticated access, the window is particularly consequential because the threat actor who is already inside the network may have ample time to use the vulnerability before it is patched.
Organisations that run on-premises SharePoint at the branch of their infrastructure that is internet-facing, through SharePoint sites published externally via a reverse proxy or web application firewall, have a larger exposure than those that have restricted SharePoint to internal network access only. External-facing SharePoint dramatically expands the number of potential authenticated users who can reach the vulnerable endpoint, as any external user with a SharePoint account can attempt the exploit from the public internet without needing to be on the corporate network.
Microsoft has released a security update addressing CVE-2026-45659 and the advisory is available at the Microsoft Security Response Centre. For organisations running affected versions of SharePoint, applying the update is the definitive remediation. The urgency created by CISA's KEV addition means that organisations with federal contracts or compliance obligations tied to CISA guidance are under a mandatory timeline. For the broader enterprise population, the confirmed active exploitation should serve as equivalent urgency.
Organisations that cannot patch immediately for operational reasons, such as those running SharePoint in a high-availability configuration where maintenance windows are constrained or those with custom SharePoint solutions that require regression testing before a platform update can be applied, need to consider compensating controls for the interim period. Restricting SharePoint access to internal network addresses only, using network segmentation or perimeter firewall rules to prevent authenticated access from external IP addresses, reduces the exposure significantly without requiring an application change. This does not address the threat from an internal attacker or a compromised internal account, but it eliminates the external attack surface while the patch process is completed.
Monitoring SharePoint server logs for the specific request patterns associated with deserialization exploit attempts, and configuring the web application firewall to flag or block requests that carry the payload signatures associated with known deserialization attacks against SharePoint, provides detection capability in environments where patching cannot be completed immediately. These are interim measures, not replacements for the patch, but they reduce the probability of a successful exploitation during the delay.
When CISA confirms active exploitation, it means that some organisations have already been compromised through this vulnerability. The confirmed exploitation also means that functional exploit code is available to threat actors, whether through their own research or through the criminal market for exploits, which means the pool of potential attackers is not limited to those sophisticated enough to develop their own exploit from first principles.
For defenders, confirmed active exploitation changes the calculus from "when might this be used against us" to "are we already affected." Reviewing SharePoint server logs for unusual activity patterns in the weeks preceding the public disclosure is a meaningful investigation step. Attackers who exploit vulnerabilities early, before public awareness, often move slowly to avoid detection, and their initial activity may be subtle: a file accessed from an unusual account, an administrative action taken at an unexpected time, a new account created with unusual permissions.
The combination of a deserialization RCE vulnerability in a platform that stores sensitive documents and is integrated with Active Directory makes post-exploitation behaviour particularly varied and difficult to detect through any single monitoring approach. Identifying suspicious activity before it becomes a full incident in this scenario requires monitoring SharePoint audit logs, Windows event logs on the SharePoint server, and Active Directory events for privilege changes or new account creation, in combination rather than in isolation.
Organisations that have deployed endpoint detection and response tooling on their SharePoint servers have an additional detection layer: the process execution events that a successful deserialization exploit typically generates, specifically spawning of child processes from the IIS worker process or the SharePoint timer service, are distinctive and detectable by modern EDR products even if the specific exploit code has not been seen before. These behavioural detections are particularly valuable in the period immediately following a CISA KEV addition, when exploit code is evolving quickly and signature-based detection may lag behind the most current variants.
CVE-2026-45659 is a single vulnerability, but it reflects a broader pattern that organisations managing complex hybrid environments need to account for in their security architecture. Collaboration platforms, the tools that make modern organisations function, are precisely the tools that attackers find most valuable to compromise. They store the most sensitive conversations, the most critical documents, and the integration tokens that connect them to financial, HR, and operational systems.
The same organisational logic that makes SharePoint attractive as a productivity platform, centralised document storage, searchable content, integration with identity management, and access control tied to business roles, also makes it a high-value target for any attacker who has obtained authenticated access. A vulnerability that allows an authenticated user to escalate their privileges on that platform is worth more than an equivalent vulnerability in a more peripheral system because the data accessible from the post-exploitation position is more sensitive and more broadly connected.
This architectural reality, that the most productive tools are also the most attractive targets, is the argument for treating collaboration platform security as a first-tier priority rather than an ancillary concern. Patch management, access control review, audit log monitoring, and integration security for platforms like SharePoint, Exchange, Teams, and their non-Microsoft equivalents deserve the same structured attention that organisations apply to their network perimeter and endpoint security programmes.
CVE-2026-45659 is the current urgent item. The vulnerability that follows it will have different technical characteristics but the same underlying consequence: an attacker with initial access to the environment, whether through a phished credential, a brute-forced account, or an unrelated initial foothold, with a path to elevated access on the infrastructure that holds the organisation's most sensitive collaborative work. Patching now addresses the immediate risk. Building the monitoring and detection capability to surface exploitation attempts addresses the pattern.
CISA's Known Exploited Vulnerabilities catalogue was established to address a persistent problem in enterprise vulnerability management: organisations are routinely overwhelmed by the volume of disclosed vulnerabilities and struggle to prioritise which to patch first. The Common Vulnerability Scoring System provides a severity score for each vulnerability, but CVSS scores measure theoretical impact rather than actual exploitation activity. A vulnerability with a CVSS 10.0 that has never been exploited in the wild presents a different risk profile from a vulnerability with a CVSS 7.5 that is being actively used in ransomware campaigns.
The KEV catalogue addresses this by focusing on a single criterion: is the vulnerability being actively exploited right now? If yes, it enters the catalogue regardless of its CVSS score. For US federal civilian agencies, a KEV addition triggers a mandatory remediation deadline, typically 21 days for high-severity vulnerabilities in internet-facing systems. For the private sector, the catalogue is a reliable proxy signal for prioritisation: if CISA has confirmed active exploitation, the vulnerability has crossed the line from theoretical to operational risk.
CVE-2026-45659's addition to the KEV catalogue means that at the time of confirmation, CISA had evidence of real intrusions using this specific vulnerability. The evidence threshold for a KEV addition is not a single reported exploitation attempt. It requires credible evidence from government sources, security vendors, or incident responders that the vulnerability is being used in active attack campaigns. For organisations making patch prioritisation decisions, this confirmation should function as an immediate escalation trigger, moving CVE-2026-45659 to the front of the patch queue regardless of where it would have fallen based on CVSS score alone.
The practical timeline for responding to a KEV addition is constrained. Between the date of the advisory and the 21-day federal deadline, organisations need to identify all instances of affected SharePoint versions in their environment, test the available patch in a staging environment, coordinate maintenance windows with operational stakeholders, deploy the update to production systems, and verify successful patching. For organisations with large or geographically distributed SharePoint deployments, this timeline requires immediate initiation of the response process rather than queuing the work for the next scheduled patch cycle.
Organisations that use SharePoint in a hybrid configuration, with some servers on-premises and some content replicated to SharePoint Online, need to assess their exposure carefully. The cloud-hosted SharePoint Online component is patched by Microsoft and is not directly affected in the same way as the on-premises servers. However, hybrid configurations create authentication and data replication linkages between the two environments that an attacker who has compromised an on-premises server may be able to use as a pivot point into the cloud environment. A full assessment of the hybrid configuration's trust relationships is a necessary part of the response to CVE-2026-45659 for organisations using this deployment model.
For security teams conducting threat hunting in the period following the CVE-2026-45659 disclosure, the behavioural signatures most relevant to detecting exploitation of a deserialization vulnerability in SharePoint are concentrated in the process execution and network activity of the IIS worker process and SharePoint timer service on the affected server.
A successful deserialization exploit typically results in command execution in the context of the IIS application pool account or the SharePoint farm service account. Process creation events where IIS worker processes, identified as w3wp.exe in Windows event logs and EDR telemetry, spawn unexpected child processes such as cmd.exe, powershell.exe, or wscript.exe are high-fidelity indicators of exploitation. These parent-child process relationships are not characteristic of normal SharePoint operation and should be treated as confirmed exploitation indicators if observed on a SharePoint server in the period following the CVE disclosure.
Network connections initiated by the IIS worker process to external IP addresses or domains, particularly connections using protocols other than HTTP and HTTPS or to addresses that do not correspond to known SharePoint infrastructure, are a secondary indicator. Post-exploitation frameworks typically establish a command and control channel immediately after code execution, and that channel will be visible in network telemetry even if the exploitation event itself was not captured in application logs.
File system activity in directories outside the normal SharePoint installation path, particularly the creation of new executable files, scripts, or DLLs in temporary directories or the Windows system directory, is a third category of detection opportunity. Web shells, which provide persistent remote access through the SharePoint web interface, are a common post-exploitation persistence mechanism and appear as new ASPX files in the SharePoint web application directories. A file integrity monitoring solution configured to alert on new file creation in the SharePoint web root directories provides detection coverage for this specific persistence technique.
Defendis monitors dark web forums, criminal marketplaces, and threat actor channels for early signals specific to your organisation: credential exposure, active campaigns targeting your sector, and indicators tied to your infrastructure. Book a demo to see what we see before it reaches you.