Microsoft quietly patched a SharePoint bug in May 2026 and told customers it was “less likely to be exploited.” Six weeks later, on July 1, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the same flaw to its Known Exploited Vulnerabilities catalog and gave federal agencies until July 4 to fix it. That reversal – from a low-priority footnote to a federally mandated emergency in under two months – is the story of CVE-2026-45659, and it is the clearest reminder yet that a patched SharePoint vulnerability is only as safe as the servers that actually install the update.
The flaw is a remote code execution (RCE) bug in on-premises SharePoint Server carrying a CVSS score of 8.8. It is not a zero-day – Microsoft shipped a fix in the May 2026 security updates. But active exploitation of the already-patched bug tells you exactly how many production SharePoint farms never applied it, and how attractive Microsoft’s collaboration platform remains to attackers a year after the catastrophic “ToolShell” campaign of July 2025.
Don't miss new tech stories on Google
Add Tech Insider once in the Google app and our stories appear in your news suggestions.
What Happened: A Patched SharePoint Vulnerability Turns Into an Active Exploit
The timeline is tight and damning. Microsoft documented and patched CVE-2026-45659 as part of its May 2026 security updates for SharePoint Server. At the time, the company assessed the flaw as “less likely to be exploited,” and there was no public proof-of-concept exploit code circulating. For most organizations, that severity signal is exactly the kind of thing that pushes a patch to the back of a long maintenance queue.
By late June and early July, that assessment had collapsed. According to SecurityWeek, CISA added the SharePoint vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on July 2, 2026, confirming that threat actors were already leveraging it against unpatched servers. Under the binding operational directive that governs the KEV catalog, federal civilian agencies were ordered to remediate the flaw by July 4 – an unusually compressed three-day window that reflects how seriously the agency views the risk.
The distinction matters: this is not a case of Microsoft being caught flat-footed by an unknown bug. The patch existed for six weeks before CISA sounded the alarm. What changed was not the code – it was the discovery that real intrusions were happening in the wild, and that a meaningful population of internet-facing SharePoint servers had never applied the May fix. In vulnerability-management terms, CVE-2026-45659 is a textbook “n-day” exploit: a known, fixed flaw weaponized against the long tail of organizations that lag on patching.
Inside CVE-2026-45659: How the SharePoint Vulnerability Works
CVE-2026-45659 is an RCE flaw rooted in the deserialization of untrusted data. In plain terms, SharePoint accepts serialized objects from a request and reconstructs them without adequately validating what it is rebuilding. A crafted payload can abuse that process to run attacker-controlled code inside the SharePoint worker process – the same class of bug that has haunted .NET applications, Java middleware, and enterprise web platforms for the better part of a decade.
The affected products are all on-premises editions: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Crucially, SharePoint Online – the cloud service bundled with Microsoft 365 – is not affected, because Microsoft patches and operates that infrastructure directly. The bug is a problem for organizations that still run their own SharePoint farms, which skews heavily toward government, healthcare, manufacturing, legal, and financial institutions with data-residency or legacy-integration reasons to keep collaboration on-premises.
Why “Authenticated” Doesn’t Mean “Safe”
On paper, CVE-2026-45659 has a mitigating factor: exploitation requires authentication. An attacker needs at least “Site Member” permissions (the vector is scored PR:L, low privileges required) to trigger it, and no elevated or administrative rights are necessary. That sounds reassuring until you consider how low the bar actually is. Site Member is a routine, widely granted role – the kind of access handed to contractors, partners, and rank-and-file employees across thousands of sites.
Microsoft’s own advisory is blunt about the ease of exploitation. In its security update guide, the company notes that “the attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.” Combine low complexity, low privilege, and no user interaction, and any leaked, phished, or brute-forced SharePoint credential becomes a launchpad for full server compromise. In an era of ubiquitous credential theft, “authenticated” is a speed bump, not a wall.
CVE-2026-45659 at a Glance
The table below consolidates the confirmed technical details of the SharePoint vulnerability, drawn from Microsoft’s advisory, the National Vulnerability Database, and CISA’s KEV listing.
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2026-45659 |
| Vulnerability type | Remote code execution via deserialization of untrusted data |
| CVSS score | 8.8 (High) |
| Attack vector | Network, low complexity (AC:L), low privileges (PR:L), no user interaction |
| Affected products | SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Enterprise Server 2016 (on-premises only) |
| Not affected | SharePoint Online (Microsoft 365) |
| Patch released | May 2026 security updates |
| Added to CISA KEV | July 1, 2026 |
| Federal remediation deadline | July 4, 2026 |
| Exploitation status | Active exploitation confirmed in the wild |
The “Less Likely to Be Exploited” Problem
The most instructive part of this story is not the bug itself but Microsoft’s original risk rating. The company’s Exploitability Index labeled CVE-2026-45659 as “less likely to be exploited” when the May patch shipped – a signal many enterprises treat as permission to deprioritize. That prediction was wrong, and it was wrong fast.
This is a recurring blind spot in vulnerability management. Severity ratings and exploit-likelihood forecasts are educated guesses made at a single point in time, before researchers, criminals, and nation-state teams have had a chance to reverse-engineer the patch. A “less likely” rating on a deserialization RCE in a platform as heavily targeted as SharePoint was always a fragile bet. The moment a fix ships, skilled adversaries can diff the patched binaries against the vulnerable ones to reconstruct the flaw – a technique that turns Microsoft’s own update into an exploitation roadmap.
There is a compounding wrinkle. As Help Net Security reported, the CVE was initially omitted from the documentation accompanying the May 2026 security updates even though those updates addressed it. A quietly shipped fix, an under-communicated advisory, and a reassuring severity label combined to keep this SharePoint flaw off many defenders’ radar – until CISA’s KEV listing made ignoring it a compliance failure. The lesson for security teams is stark: exploit-likelihood ratings are a planning input, not a patching exemption.
CISA’s KEV Listing and the July 4 Federal Deadline
CISA’s Known Exploited Vulnerabilities catalog is the single most authoritative public signal that a flaw has crossed from theoretical to actively abused. A CVE only earns a place on the list when there is reliable evidence of exploitation in the wild, which is why security teams far beyond the federal government use it as a prioritization backbone. When CVE-2026-45659 landed on the KEV catalog on July 2, 2026, it instantly jumped to the top of every mature patch queue.
For U.S. federal civilian agencies, the listing is not advisory. The binding operational directive covering the KEV catalog requires them to remediate listed vulnerabilities by a hard deadline – here, July 2, 2026, just three days after the entry. That compressed timeline is notable. Many KEV entries carry three-week remediation windows; a three-day clock signals that CISA considered the SharePoint exploit an acute, spreading threat rather than a slow burn.
The private sector inherits the same urgency without the legal mandate. Any organization running an internet-reachable SharePoint farm should treat the KEV listing as the equivalent of a fire alarm. This is the same escalation path that made headlines when a fresh CitrixBleed flaw hit NetScaler appliances within 24 hours of disclosure – enterprise infrastructure with a large internet footprint gets attacked at machine speed, and the gap between “patch available” and “patch applied” is where breaches live.
Echoes of ToolShell: The 2025 SharePoint Catastrophe
To understand why CVE-2026-45659 is setting off alarms, you have to look back at July 2025 and the “ToolShell” campaign – the most damaging SharePoint incident in the platform’s history. ToolShell was not a single bug but a chain of four vulnerabilities that attackers stitched together to achieve unauthenticated remote code execution against on-premises SharePoint. According to Palo Alto Networks’ Unit 42, exploitation attempts began on June 2026, at 06:58 UTC and rapidly escalated after public proof-of-concept code appeared.
| CVE | Type | CVSS | Role in campaign |
|---|---|---|---|
| CVE-2025-49704 | Code injection | 8.8 | Initial exploit chain (patched July 8, 2025) |
| CVE-2025-49706 | Improper authentication / spoofing | 6.5 | Auth bypass paired with 49704 |
| CVE-2025-53770 | Deserialization of untrusted data | 9.8 | Zero-day RCE bypassing the initial patch |
| CVE-2025-53771 | Path traversal / spoofing | 6.5 | Chained with 53770 for full compromise |
| CVE-2026-45659 | Deserialization of untrusted data | 8.8 | 2026 n-day RCE, authenticated |
What the ToolShell Attackers Did
ToolShell was devastating because of what the attackers stole once inside. Rather than simply dropping web shells, the operators exfiltrated SharePoint’s ASP.NET machine keys – the cryptographic secrets used to sign and validate server-side tokens. With those keys in hand, an attacker can forge authentication material and maintain persistent, hard-to-detect access even after the underlying software is patched. Unit 42 tracked one cluster as CL-CRI-1040, with moderate-confidence overlap to a group Microsoft calls Storm-2603, which deployed ransomware in some intrusions.
Microsoft attributed the broader 2025 campaign to China-nexus actors it names Linen Typhoon and Violet Typhoon, alongside Storm-2603. Security vendor Imperva reported more than 60,000 exploitation attempts in a single day at the campaign’s peak, with over half aimed at U.S. targets. The wave forced Microsoft to ship emergency out-of-band patches and left a trail of compromised servers across government and enterprise networks. That is the shadow CVE-2026-45659 now steps into: any active SharePoint exploit in 2026 is read through the memory of how quickly ToolShell metastasized.
Why On-Premises SharePoint Keeps Getting Hit
SharePoint is a uniquely attractive target, and the reasons are structural. First, it is enormous: SharePoint underpins document management, intranets, and collaboration for a large share of the Fortune 500 and thousands of public-sector bodies. A single vulnerable server can expose an organization’s most sensitive internal documents. Second, on-premises SharePoint is a sprawling, aging codebase with deep .NET internals, a rich attack surface, and a long history of deserialization flaws – the exact bug class behind both ToolShell and CVE-2026-45659.
Third, and most damaging, on-premises SharePoint patches on the customer’s schedule, not Microsoft’s. Where SharePoint Online is silently updated by Microsoft, self-hosted farms depend on internal teams to test and deploy every fix. SharePoint upgrades are notoriously fragile – they touch authentication, custom solutions, and integrations that enterprises are terrified to break – so patching lags. That lag is precisely the window attackers exploit. CVE-2026-45659 is not dangerous because the fix is hard to obtain; it is dangerous because so many servers will run unpatched for weeks or months.
The pattern mirrors what defenders have seen across enterprise edge software in 2026, from firewalls to identity gateways. When a critical bug cracked tens of thousands of Fortinet firewalls earlier this year, the root cause was the same: high-value, internet-exposed infrastructure that patches slowly. SharePoint sits squarely in that category.
Market Impact: Patch Fatigue and the On-Prem Reckoning
CVE-2026-45659 lands in the middle of an unprecedented patching burden. Microsoft’s June 2026 Patch Tuesday was the largest in the program’s history, addressing roughly 200 vulnerabilities – including six zero-days – and shattering the previous record, according to BleepingComputer. When a security team is triaging 200 fixes a month, a single SharePoint bug rated “less likely to be exploited” is exactly what falls through the cracks. Patch fatigue is no longer a soft concern; it is the operating condition of modern IT, and attackers plan around it.
The business impact is twofold. In the short term, every incident of this kind accelerates the migration off self-hosted SharePoint toward SharePoint Online and Microsoft 365, where Microsoft shoulders the patch burden. Each ToolShell and each CVE-2026-45659 is, in effect, a marketing event for the cloud. In the longer term, the flaws harden the case that on-premises collaboration is a legacy liability for organizations without a hard regulatory reason to keep it – a reckoning that is reshaping enterprise architecture budgets.
There is also a reputational cost to Microsoft’s severity forecasting. When “less likely to be exploited” is followed weeks later by a three-day CISA emergency, security leaders lose trust in the very ratings meant to help them prioritize. Expect more organizations to ignore vendor exploit-likelihood scores entirely and patch every network-facing RCE on the assumption that it will be weaponized – a more conservative, more expensive default that vendors have effectively trained the market to adopt.
How to Check If Your SharePoint Server Is Exposed
The fastest way to determine exposure is to confirm the build number of every SharePoint farm against the May 2026 security update. From the SharePoint Management Shell on a server, administrators can pull the current farm build and compare it to the patched builds Microsoft published for each edition.
# Run in the SharePoint Management Shell (elevated)
# Returns the current farm build number
(Get-SPFarm).BuildVersion
# Reference: May 2026 security update builds (patched)
# SharePoint Server Subscription Edition : 16.0.19725.20280
# SharePoint Server 2019 : 16.0.10417.20128
# SharePoint Enterprise Server 2016 : 16.0.5552.1002
#
# If (Get-SPFarm).BuildVersion is BELOW the build for your edition,
# the server is missing the CVE-2026-45659 fix and is exposed.
# Confirm the exact target build in the MSRC advisory before patching.
Beyond the build check, defenders should audit internet exposure: any SharePoint server reachable from the public internet is a priority-one asset. Because ToolShell demonstrated that machine-key theft enables persistence beyond patching, teams that suspect compromise should also rotate ASP.NET machine keys and hunt for anomalous web shells (such as unexpected .aspx files in the LAYOUTS directory) rather than assume a patch alone closes the door.
Remediation: What Defenders Should Do Now
The remediation playbook for this SharePoint vulnerability is straightforward but time-sensitive. The table below maps the priority actions to the teams responsible for them.
| Priority | Action | Owner |
|---|---|---|
| 1 – Immediate | Apply the May 2026 security update to all on-prem SharePoint farms; verify the post-patch build number | SharePoint / infrastructure admins |
| 2 – Immediate | Identify and prioritize internet-facing SharePoint servers; restrict external access where possible | Network / perimeter team |
| 3 – Same day | Enable and validate Antimalware Scan Interface (AMSI) integration and endpoint protection on SharePoint hosts | Security operations |
| 4 – Within 72 hours | Hunt for web shells and anomalous authentication; review logs for exploitation indicators | Incident response / threat hunting |
| 5 – If compromise suspected | Rotate ASP.NET machine keys and credentials; assume persistence and investigate accordingly | Incident response |
| 6 – Strategic | Evaluate migration of collaboration workloads to SharePoint Online / Microsoft 365 | IT leadership / architecture |
Teams that lack strong SharePoint telemetry should pair patching with broader detection coverage. Open-source and commercial monitoring stacks – from a free Wazuh SIEM deployment to full XDR platforms – can surface the web shells and lateral movement that follow a successful SharePoint exploit, buying time even when patching lags.
Competitive Context: SharePoint vs. the Collaboration Cloud
Every on-premises SharePoint incident reframes a competitive question that has simmered for a decade: should collaboration live on servers you patch or in a cloud someone else patches? SharePoint’s rivals – from Google Workspace to Atlassian Confluence to a wave of cloud-native intranet startups – all lean on the same pitch: no servers to patch, no CVE-2026-45659 to chase, no three-day CISA scramble. For a CISO who just spent a holiday weekend emergency-patching SharePoint farms, that pitch has never sounded better.
Yet the cloud is not a security panacea, and the collaboration market knows it. Confluence has faced its own critical RCEs; cloud SaaS platforms have been breached through OAuth abuse and third-party integrations rather than server bugs. The threat simply relocates from “patch your server” to “govern your identities and app connections.” What CVE-2026-45659 sharpens is not that the cloud is invulnerable, but that self-hosting transfers the entire patch-and-hunt burden onto internal teams that are already drowning in 200-CVE months. In a market where security operations headcount is flat and attack volume is not, that transfer is increasingly untenable.
The strategic irony is that many organizations run on-premises SharePoint precisely for compliance and data-sovereignty reasons – the same regulated sectors that can least afford a breach. The 2026 exploit wave is forcing those organizations to weigh sovereignty against patch velocity, and the math is shifting toward managed cloud with regional data controls.
Expert Analysis and Industry Data
With no on-the-record researcher quotes yet attached to CVE-2026-45659, the most reliable signals come from primary-source advisories and vendor telemetry:
- Microsoft (MSRC): the company’s official advisory confirms low attack complexity, stating an attacker “does not require significant prior knowledge of the system and can achieve repeatable success with the payload” – a rare admission of how reliably the SharePoint exploit works.
- CISA: the KEV listing on July 2, 2026, and the July 2 federal deadline are the strongest possible confirmation that exploitation is real and spreading, not theoretical.
- Palo Alto Networks Unit 42: its ToolShell analysis documents machine-key theft as the persistence mechanism that made 2025’s SharePoint campaign so hard to evict – the risk model defenders should assume in 2026.
- SecurityWeek and Help Net Security: independent reporting corroborates the CVSS 8.8 rating, the on-premises-only scope, and the fact that Microsoft’s May patch preceded exploitation by weeks.
The through-line across these sources is consistent: a mid-severity, “less likely” flaw became a federal emergency because the fix existed but was not universally applied. The data does not point to a novel attack technique so much as a well-understood failure mode – the patch gap – playing out on one of the most valuable targets in the enterprise.
5 Predictions for SharePoint Security Through 2026
Based on the trajectory of CVE-2026-45659 and the 2025 ToolShell precedent, here is where the on-premises SharePoint threat is likely headed:
- Public exploit code will appear quickly. Once a KEV listing confirms exploitation, proof-of-concept and Metasploit-style modules typically follow within weeks, widening the attacker pool from skilled operators to commodity criminals.
- More SharePoint deserialization CVEs will surface. The bug class is deep and recurring; expect additional RCE disclosures in on-premises SharePoint before year-end as researchers probe the same code paths that yielded ToolShell and CVE-2026-45659.
- Ransomware crews will chain it. Following the Storm-2603 playbook, financially motivated groups will pair SharePoint RCE with credential theft and encryption, targeting the sensitive document stores these servers hold.
- Cloud migration will accelerate. Each high-profile SharePoint exploit strengthens the business case for SharePoint Online, and 2026 incidents will show up as a measurable bump in Microsoft 365 collaboration migrations.
- Vendor exploit-likelihood ratings will lose authority. After enough “less likely” flaws become emergencies, more security teams will patch all network-facing RCEs by default, treating vendor forecasts as background noise rather than prioritization gospel.
Frequently Asked Questions
Is CVE-2026-45659 a zero-day?
No. Microsoft patched the SharePoint vulnerability in the May 2026 security updates, weeks before exploitation began. It is an “n-day” flaw – a known, fixed bug being exploited against servers that never applied the patch. That distinguishes it from the 2025 ToolShell zero-day (CVE-2025-53770), which attackers used before any fix existed.
Does this SharePoint vulnerability affect SharePoint Online?
No. CVE-2026-45659 affects only on-premises editions: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. SharePoint Online, part of Microsoft 365, is patched and operated by Microsoft and is not listed as affected.
How severe is CVE-2026-45659?
It carries a CVSS score of 8.8 (High) and enables remote code execution. Exploitation requires authentication with at least Site Member permissions, but Microsoft rates the attack complexity as low, meaning a single valid SharePoint credential can lead to full server compromise.
What is the July 4, 2026 deadline about?
CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog on July 1, 2026. Under the directive governing that catalog, U.S. federal civilian agencies must remediate the flaw by July 4. Private organizations are not legally bound but should treat the deadline as a strong signal to patch immediately.
How do I know if my SharePoint server is patched?
Run (Get-SPFarm).BuildVersion in the SharePoint Management Shell and compare the result to the May 2026 security update build for your edition. If the build is lower than the patched build, the server is missing the fix. Always confirm the exact target build in Microsoft’s MSRC advisory before deploying.
How does this compare to the 2025 ToolShell attacks?
ToolShell was a chain of four vulnerabilities (including the CVSS 9.8 zero-day CVE-2025-53770) exploited by China-nexus actors before patches existed, complete with machine-key theft and ransomware. CVE-2026-45659 is a single authenticated RCE that was already patched, so the immediate risk is narrower – but the same patch-lag dynamic that fueled ToolShell is what makes it dangerous.
What should organizations do right now?
Apply the May 2026 security update to every on-premises SharePoint farm, prioritize internet-facing servers, hunt for web shells and anomalous authentication, and rotate machine keys if compromise is suspected. Longer term, evaluate migrating collaboration workloads to SharePoint Online to shift the patch burden to Microsoft.
Related Coverage
- New CitrixBleed Flaw: NetScaler Hit in 24 Hours [2026]
- FortiBleed Cracks 86,644 Fortinet Firewalls [2026]
- ShinyHunters Hit 100+ Orgs via Oracle Zero-Day [2026]
- North Korea Poisons 140 npm AI Packages in 19 Min [2026]
- Novo Nordisk Breach: $25M Ransom, 1.3TB Claimed [2026]
- Wazuh Tutorial: Free SIEM in 14 Steps, 40 Min [2026]
- More cybersecurity threats and analysis 2026


