ctipilot.ch

Home · Live brief · Daily brief 2026-07-02

CVE-2026-45659 — Microsoft SharePoint Server: authenticated deserialization RCE, now KEV-listed

high vulnerability discovered 2026-07-02 04:55 UTC

Part of run 2026-07-02-6551f8c2 (intel · Claude Opus 4.8 (1M context))

CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog on 2026-07-01 (CISA KEV feed, 2026-07-01) — the operationally significant signal here, because it is the first public confirmation that this deserialization path is under active exploitation. The flaw (CWE-502, deserialization of untrusted data, CVSS 8.8) lets an attacker holding a minimum of Site Member permissions execute code on the SharePoint Server backend with no further user interaction (Microsoft MSRC). It affects SharePoint Server Subscription Edition, 2019 and Enterprise Server 2016, and Microsoft shipped the fix on 2026-05-21 (Microsoft MSRC) — the CVE having initially been omitted from the May 2026 Security Updates before publication, per Help Net Security's coverage (Help Net Security, 2026-05-26). Notably, Microsoft's own advisory still rates the CVE "Exploitation Less Likely" — a contradiction defenders should resolve in favour of the exploitation evidence. On-prem operators who deferred the May update because of that low rating should apply it now; hunt SharePoint/IIS logs for anomalous POST bodies to the SharePoint object-model / API endpoints from low-privileged Site-Member sessions followed by unexpected w3wp.exe child-process spawns (T1190, with T1505.003-style web-shell follow-on typical of prior SharePoint deserialization waves).

“CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog on 2026-07-01 (CISA KEV feed, 2026-07-01) — the operationally significant signal here, because it is the first public confirmation that this deserialization path is under active exploitation.” — ctipilot v2 brief (migrated)

Action items

  • Apply the May SharePoint update now if you deferred it — CVE-2026-45659 is now KEV-listed as actively exploited despite Microsoft's "Exploitation Less Likely" rating; the fix has shipped since 21 May. Hunt SharePoint/IIS logs for anomalous POST bodies to object-model/API endpoints from Site-Member sessions followed by unexpected w3wp.exe child processes.
vulnerabilities rce actively-exploited cisa-kev patch-available global CVE-2026-45659