ctipilot.ch

Microsoft SharePoint Server CWE-502 deserialization RCE — authenticated Site Member (PR:L) can execute code over network; CVSS 8.8; NCSC.ch flagged 2026-05-26; § 7 drop (did not clear § 2 gates)

cve · CVE-2026-45659

Coverage timeline
1
first 2026-05-27 → last 2026-07-02
Peak priority
high
1 high
Sources cited
3
3 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
2
pinned v19.1 · see below

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-02/cve-2026-45659-microsoft-sharepoint-server-authenticated-des · ATT&CK page ↗

Persistence TA0003

T1505.003Server Software Component: Web Shell×1

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

Evidence: 2026-07-02/cve-2026-45659-microsoft-sharepoint-server-authenticated-des · ATT&CK page ↗

Story timeline

  1. 2026-07-02CVE-2026-45659 — Microsoft SharePoint Server: authenticated deserialization RCE, now KEV-listed
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • cisa.gov1 (33%)
  • helpnetsecurity.com1 (33%)
  • msrc.microsoft.com1 (33%)

Entries about Microsoft SharePoint Server CWE-502 deserialization RCE — authenticated Site Member (PR:L) can execute code over network; CVSS 8.8; NCSC.ch flagged 2026-05-26; § 7 drop (did not clear § 2 gates) (1)

2026-07-02 · view entry permalink →

HIGHCVE-2026-45659exploited

CVE-2026-45659 — Microsoft SharePoint Server: authenticated deserialization RCE, now KEV-listed

CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog on 2026-07-01 (CISA KEV feed, 2026-07-01) — the operationally significant signal here, because it is the first public confirmation that this deserialization path is under active exploitation. The flaw (CWE-502, deserialization of untrusted data, CVSS 8.8) lets an attacker holding a minimum of Site Member permissions execute code on the SharePoint Server backend with no further user interaction (Microsoft MSRC). It affects SharePoint Server Subscription Edition, 2019 and Enterprise Server 2016, and Microsoft shipped the fix on 2026-05-21 (Microsoft MSRC) — the CVE having initially been omitted from the May 2026 Security Updates before publication, per Help Net Security's coverage (Help Net Security, 2026-05-26). Notably, Microsoft's own advisory still rates the CVE "Exploitation Less Likely" — a contradiction defenders should resolve in favour of the exploitation evidence. On-prem operators who deferred the May update because of that low rating should apply it now; hunt SharePoint/IIS logs for anomalous POST bodies to the SharePoint object-model / API endpoints from low-privileged Site-Member sessions followed by unexpected w3wp.exe child-process spawns (T1190, with T1505.003-style web-shell follow-on typical of prior SharePoint deserialization waves).

CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog on 2026-07-01 (CISA KEV feed, 2026-07-01) — the operationally significant signal here, because it is the first public confirmation that this deserialization path is under active exploitation.

ctipilot v2 brief (migrated)
vulnerability02 Jul 04:55Zmulti-sourceOpen finding ↗