Skip to content
Malware

CISA Warns of Microsoft SharePoint Server Code Execution Vulnerability Exploited in Attacks

CISA has added a newly disclosed Microsoft SharePoint Server vulnerability, tracked as CVE-2026-45659, to its Known Exploited Vulnerabilities (KEV) Catalog, warning that the flaw is actively being exploited in real-world attacks. The vulnerability is a deserialization of untrusted data issue (CWE-50...

· Jul 02, 2026 · 3 min read · 👁 1 views
CISA Warns of Microsoft SharePoint Server Code Execution Vulnerability Exploited in Attacks

CISA has added a newly disclosed Microsoft SharePoint Server vulnerability, tracked as CVE-2026-45659, to its Known Exploited Vulnerabilities (KEV) Catalog, warning that the flaw is actively being exploited in real-world attacks.

The vulnerability is a deserialization of untrusted data issue (CWE-502) that allows an authenticated attacker to execute arbitrary code remotely over the network.

The flaw affects on-premises Microsoft SharePoint Server deployments. It poses a significant risk to enterprise environments that rely on SharePoint for collaboration and document management.

According to CISA, the vulnerability enables attackers with valid access to craft malicious serialized payloads that are processed by the SharePoint server, ultimately leading to remote code execution (RCE).

SharePoint Server RCE Vulnerability Exploited

This type of vulnerability is particularly dangerous because it can bypass traditional security controls when exploited through legitimate user contexts.

The agency added CVE-2026-45659 to the KEV catalog on July 1, 2026, with a remediation deadline of July 4, 2026, highlighting the urgency for federal agencies and organizations to address the issue immediately.

While there is currently no confirmed evidence linking the flaw to ransomware campaigns, active exploitation in the wild significantly elevates its risk profile.

CISA has instructed organizations to follow vendor-provided mitigation guidance and comply with Binding Operational Directive (BOD) 26-04, which emphasizes risk-based prioritization of security updates.

Organizations are also advised to assess internet exposure of affected SharePoint servers and apply patches or mitigations without delay.

Security experts note that deserialization vulnerabilities have historically been a common attack vector in enterprise applications.

In this case, an attacker could leverage stolen or low-privilege credentials to gain initial access and then escalate their impact by executing arbitrary code on the server.

For example, a compromised user account could be used to submit a malicious request that triggers the vulnerable deserialization process, allowing attackers to deploy web shells or establish persistent access.

CISA further recommends that organizations implement forensic triage procedures to detect potential compromise.

Indicators may include unusual SharePoint activity, unexpected process execution, or anomalous network traffic originating from SharePoint servers.

The KEV catalog serves as a critical resource for defenders, providing a curated list of vulnerabilities known to be exploited in active attacks.

By prioritizing remediation of KEV-listed vulnerabilities such as CVE-2026-45659, organizations can significantly reduce their exposure to ongoing threat campaigns.

Given the short remediation window and active exploitation status, cybersecurity teams should treat this vulnerability as a high-priority patching requirement. Failure to act promptly could expose sensitive enterprise data and internal systems to compromise.

Download Free Microsoft Vulnerabilities Report 2026
– A The latest Microsoft Vulnerabilities data, analyzed.

Download Now

Source: CybersecurityNews.com

Follow ShomoySoft for more: Follow on Facebook

💬 Comments (0)

Login to join the discussion.

No comments yet. Be the first!

Related Articles

Recommended for you