← Back to blog
Blog Detail

Any Employee Can Hack Your SharePoint. CVE-2026-45659 Is Now Actively Exploited — CISA KEV Deadline: July 4.

CVE-2026-45659 lets any authenticated user with basic Site Member permissions execute arbitrary code on SharePoint servers. Microsoft rated exploitation as "less likely" in May. CISA confirmed active exploitation on July 1 with a 72-hour patch deadline. Over 10,000 servers remain exposed. Don't wait for the advisory to change — verify your posture before attackers do.

Trusteed Team
Trusteed Editorial
Written On
Jul 3, 2026
Category
Cloud
Read Time
11 min read
  • CVE-2026-45659
  • SharePoint
  • Remote Code Execution
  • CISA KEV
  • Active Exploitation
  • Ransomware
  • Patch Management

Any Employee Can Hack Your SharePoint. CVE-2026-45659 Is Now Actively Exploited — CISA KEV Deadline: July 4.

Verify with Trusteed before attackers do. Keep your systems safe.

Microsoft said exploitation was "less likely." Yesterday, CISA added it to the Known Exploited Vulnerabilities catalog. The deadline for federal agencies to patch is July 4, 2026 — two days from now. Over 10,000 SharePoint servers are still exposed to the internet. And the only requirement for exploitation is a regular employee account.

CVE-2026-45659 is the kind of vulnerability that makes CISOs lose sleep. Not because it's technically novel — .NET deserialization flaws have been a known attack class for years. But because the exploitation barrier is absurdly low. Any authenticated user with basic Site Member permissions — the access level every employee gets by default — can execute arbitrary code on the SharePoint server. No admin privileges. No elevated permissions. No user interaction beyond the attacker's own login.

Microsoft patched it in May 2026. They rated it "Exploitation Less Likely." Five weeks later, CISA confirmed active exploitation in the wild and ordered all federal agencies to patch within 72 hours. Ransomware operators are already leveraging SharePoint vulnerabilities as initial access vectors — Storm-2603 has been deploying Warlock ransomware through compromised on-premises SharePoint servers since mid-2025.

The question every organization needs to answer right now — not next week, not at the next patch cycle — is: are our SharePoint servers patched, and can we prove it?


Why This CVE Matters More Than Most

SharePoint isn't just another web application. It's the operational backbone of enterprise collaboration — the place where organizations store their most sensitive documents, manage their internal workflows, and run their intranet portals. It's deeply integrated with Active Directory, Exchange, and OneDrive. A compromised SharePoint server doesn't just mean one system is breached. It means an attacker has a foothold in the center of your enterprise infrastructure with credentials, documents, and lateral movement paths to everything else.

The Low Barrier Problem

Most RCE vulnerabilities require elevated privileges, complex attack chains, or pre-authentication exploitation. CVE-2026-45659 requires none of that.

The attacker needs a valid SharePoint account with Site Member permissions. That's the default access level assigned to virtually every employee in organizations using SharePoint. It's the permission that lets you read documents, contribute to lists, and participate in collaboration workflows. In many environments, external contractors, partners, and consultants also have Site Member access.

Microsoft's advisory is explicit: "Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges." The attack complexity is Low. No user interaction is required. The attack vector is Network — it's remotely exploitable from the internet.

This means the threat model isn't limited to external attackers who somehow steal admin credentials. It includes every single user with a SharePoint login: phished employees, disgruntled insiders, compromised contractor accounts, credentials from old breaches being reused. The pool of potential attackers is as large as your user base.

The Deserialization Kill Chain

The technical mechanism is well-understood but devastating. SharePoint's .NET backend includes endpoints that deserialize data from incoming requests. CVE-2026-45659 exploits a path where untrusted serialized data is processed without adequate validation.

An attacker crafts a malicious serialized payload — typically using tools like ysoserial.NET to generate a .NET gadget chain — and submits it via an authenticated HTTP request to a vulnerable SharePoint endpoint. When SharePoint deserializes the payload, the gadget chain triggers, executing arbitrary code in the context of the SharePoint service account.

The SharePoint service account typically runs with elevated system privileges. Successful exploitation gives the attacker the ability to exfiltrate every document stored in SharePoint, including confidential contracts, financial data, intellectual property, and employee records. They can modify or destroy site content — wiping collaboration data or injecting malicious content. They can install web shells, backdoors, or persistence mechanisms in the SharePoint directory structure. They can harvest credentials and Active Directory tokens from the SharePoint server's memory and configuration. And they can pivot laterally to domain controllers, file servers, email systems, and other infrastructure connected to the SharePoint farm.

The Ransomware Connection

This isn't theoretical. Microsoft's own incident response teams have documented ransomware operators specifically targeting on-premises SharePoint servers as initial access vectors. Storm-2603, a threat actor tracked by Microsoft, has been deploying Warlock ransomware through compromised SharePoint since mid-2025 — exploiting known vulnerabilities in unpatched servers to establish footholds from which they deploy ransomware across enterprise networks.

In a recent investigation, Microsoft uncovered two unrelated threat groups operating simultaneously within the same compromised network, both using SharePoint vulnerabilities as their entry point. The overlap wasn't coordinated — it simply reflects how many attackers are independently targeting SharePoint as a high-value, frequently unpatched attack surface.

CISA's addition of CVE-2026-45659 to the KEV catalog on July 1, 2026, with a remediation deadline of July 4, confirms that active exploitation is happening right now. This is not a future risk. It's a present-tense emergency.


The Timeline That Should Worry You

Here's how fast this moved:

May 22, 2026 — Microsoft publishes CVE-2026-45659. Rates exploitation as "Less Likely." Patches released for SharePoint 2016, 2019, and Subscription Edition.

Late May–June 2026 — Government CERTs from Belgium, Singapore, Thailand, and Canada issue advisories urging immediate patching. Security media covers the vulnerability extensively. A Medium post titled "Microsoft just admitted any employee can hack your company's SharePoint" generates significant community engagement.

July 1, 2026 — CISA adds CVE-2026-45659 to the Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Remediation deadline: July 4, 2026 — 72 hours.

Today — Shadowserver is tracking over 10,000 SharePoint servers still exposed to the internet. There is no public information on how many have been patched.

Five weeks between "exploitation less likely" and "actively exploited." Five weeks during which organizations that trusted the initial assessment and deprioritized the patch are now racing to remediate under a 72-hour deadline.

This is the verification gap in its most dangerous form. The advisory said one thing. Reality said another. The organizations that verified their exposure independently — rather than trusting severity assessments at face value — are already patched. The ones that didn't are scrambling.


What the Indicators of Compromise Look Like

If you haven't patched yet, you should be looking for these signs that exploitation may have already occurred.

On the network: unusual HTTP POST requests to SharePoint endpoints from authenticated low-privilege accounts, especially with large request bodies. Outbound connections from the SharePoint server to unknown external IPs or C2 infrastructure. Anomalous data transfers from the SharePoint server to external destinations.

In the logs: SharePoint ULS logs showing deserialization errors or unexpected object instantiation. IIS access logs with unusual request patterns or large POST bodies hitting SharePoint API endpoints. Authentication logs showing low-privilege accounts accessing administrative or sensitive endpoints they don't normally touch.

On the file system: unexpected files in the SharePoint installation directory or wwwroot — web shells (typically .aspx files), scripts, or executables that weren't part of the original deployment. New scheduled tasks or services created under the SharePoint service account context.

In process monitoring: the SharePoint application pool worker process (w3wp.exe) spawning unusual child processes — cmd.exe, powershell.exe, net.exe, curl.exe, or certutil.exe. Unexpected PowerShell execution with encoded or obfuscated commands originating from IIS worker processes. Any process behavior that suggests post-exploitation activity: credential dumping, network reconnaissance, or lateral movement tools.

If you find any of these indicators, treat it as a confirmed compromise. Isolate the SharePoint server immediately, engage your incident response process, and assume lateral movement has occurred.


Verify Before Attackers Do: The Trusteed Approach

CVE-2026-45659 perfectly illustrates why reactive patching based on vendor severity assessments isn't enough. Microsoft rated this "Exploitation Less Likely." Five weeks later, it's actively exploited and on the CISA KEV list. The organizations that are safe right now aren't the ones that read the advisory correctly — they're the ones that verified their exposure independently and patched anyway.

Trusteed is built for exactly this kind of scenario.

Find Every SharePoint Instance — Including the Ones You Forgot

Most enterprises know about their primary SharePoint farm. But what about the SharePoint 2016 server that a regional office is still running because migrating it was "on the roadmap"? The test instance that a developer set up for integration testing and never decommissioned? The SharePoint server at the subsidiary that was acquired two years ago and never fully integrated into the parent company's patch management process?

Trusteed's asset discovery continuously enumerates your internet-facing and cloud-connected infrastructure. Every SharePoint instance — production, staging, forgotten, or inherited — appears in a live inventory. When CVE-2026-45659 drops, you don't have to ask "do we run SharePoint?" and wait for someone to check a spreadsheet. You already know, and you know exactly which versions and builds are deployed.

Scan for CVE-2026-45659 With Exploitability Validation

Trusteed's vulnerability scanner identifies affected SharePoint versions across your environment and validates whether the deserialization endpoint is actually reachable and exploitable in your specific configuration. This goes beyond version checking — it evaluates whether compensating controls (network segmentation, WAF rules, authentication restrictions) reduce the actual risk.

The result: an evidence-backed assessment of which SharePoint instances are genuinely exploitable, prioritized by business context. A SharePoint farm holding HR documents and Active Directory integration is a different remediation priority than a test instance on an isolated network segment.

From Finding to Fix in Hours, Not Weeks

Every exploitable finding generates an auto-ticket in your existing workflow system — Jira, ServiceNow, or whatever your team uses — with the specific patch version required (16.0.5552.1002 for SharePoint 2016, 16.0.10417.20128 for 2019, 16.0.19725.20280 for Subscription Edition), step-by-step remediation guidance, and the evidence supporting the finding.

No context-switching between dashboards. No manual ticket creation. No ambiguity about what to do. The person responsible for patching gets everything they need in a single ticket.

Verify the Patch Actually Worked

This is the capability that separates verified security from assumed security. After your team applies the patch, Trusteed automatically re-scans the affected SharePoint instance to confirm the vulnerability is no longer exploitable. "Patched" becomes a verified fact — not a hope based on a Windows Update log entry.

For CVE-2026-45659, where the gap between "we think we're patched" and "we're actually patched" can mean the difference between a normal Thursday and a ransomware incident, verification isn't optional. It's essential.

Don't Wait for CISA to Tell You It's Exploited

The most important lesson from CVE-2026-45659 is timing. The patch was available on May 22. Active exploitation was confirmed on July 1. Organizations that patched in May are safe. Organizations that waited for "exploitation less likely" to become "exploitation confirmed" have lost five weeks they can never get back.

Trusteed's CTEM platform eliminates this timing gap. Continuous scanning detects new vulnerabilities the moment they're published and flagged in your environment. Exploitability-aware prioritization ensures critical flaws like CVE-2026-45659 surface at the top of your remediation queue — regardless of what the vendor's initial exploitation assessment says. And change-triggered rescanning catches any new SharePoint instances that deploy after the initial patch wave.

You shouldn't need CISA to tell you your SharePoint servers are being exploited. You should already know they're not — because you verified it.


The 72-Hour Question

CISA's BOD 26-04 gives federal agencies 72 hours to patch KEV-listed vulnerabilities. Whether or not you're a federal agency, ask yourself: if you learned right now that CVE-2026-45659 was being actively exploited against your industry, could you answer these questions within 72 hours?

How many SharePoint instances do we run, across all environments and subsidiaries? Which versions and builds are deployed on each one? Are any of them internet-facing? Have the May 2026 patches been applied to all of them? Can we prove the patches resolved the vulnerability — not just that they were installed? Are there indicators of compromise suggesting exploitation has already occurred?

If the answer to any of these is "I'm not sure," the gap between your assumptions and your actual security posture is where attackers operate.

Close the gap. Verify before they do.


Start verifying for free — discover your SharePoint instances, scan for CVE-2026-45659, and confirm your infrastructure is protected. Or talk to an expert to see how Trusteed keeps you ahead of actively exploited vulnerabilities.


This post was published on the Trusteed Blog. Trusteed helps organizations verify their security posture before attackers do — with continuous asset discovery, exploitability-aware vulnerability scanning, and automated remediation verification. Because "Exploitation Less Likely" can become "Actively Exploited" in five weeks.

Join Our Newsletter

Trusteed keeps you informed: emerging risks, platform updates, and practical guides for faster defense.