Skip to main content
SharePoint RCE Under Active Attack: CVE-2026-45659Incident
5 min readFor Security Engineers

SharePoint RCE Under Active Attack: CVE-2026-45659

What Happened

Attackers are exploiting CVE-2026-45659, a remote code execution vulnerability in Microsoft SharePoint. This flaw allows an authenticated user with low privileges to execute arbitrary code on unpatched SharePoint servers. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog and issued Binding Operational Directive (BOD) 26-04, requiring federal agencies to patch affected systems by Saturday.

The vulnerability's CVSS rating and the "low privileges required" attack vector mean your SharePoint instance becomes a foothold for lateral movement if you haven't patched. An attacker who compromises a standard user account—through phishing, credential stuffing, or any initial access technique—can escalate to code execution on the server itself.

Timeline

While CISA's advisory doesn't specify when active exploitation began, the sequence matters for your response planning:

  1. Vulnerability disclosure: Microsoft released patches for CVE-2026-45659 in their regular security update cycle.
  2. Exploit development: Attackers developed working exploits targeting the flaw.
  3. Active exploitation detected: CISA observed exploitation attempts in the wild.
  4. KEV Catalog addition: CISA added CVE-2026-45659 to the KEV Catalog.
  5. BOD 26-04 issued: Federal agencies given a deadline to remediate.
  6. Deadline: Saturday (specific date set by CISA directive).

The gap between patch availability and KEV listing represents your window of vulnerability. If you're reading this after the federal deadline, you're operating in a known-bad state.

Which Controls Failed or Were Missing

This incident exposes failures across multiple control areas:

Vulnerability Management Process

Your patch cycle didn't identify and prioritize this vulnerability before exploitation began. The "low privileges required" designation should have flagged this for emergency patching.

Asset Inventory

If you don't know which SharePoint servers you're running—on-premises, cloud-hosted, or hybrid—you can't patch them. Missing or outdated asset inventories leave systems exposed.

Privilege Management

The vulnerability requires authentication, but only low-level privileges. If you're running SharePoint with overly permissive default access or haven't implemented least-privilege access controls, you've expanded your attack surface.

Change Management

Emergency patches require a fast-track process. If your change management board meets monthly or requires three-week lead times for production changes, you can't respond to actively exploited vulnerabilities within CISA's timeframe.

Monitoring and Detection

Without logging on SharePoint authentication and code execution events, you won't know if you've already been compromised. The absence of detection capabilities means you're patching blind—you may be closing the door after the attacker is already inside.

What the Relevant Standards Require

NIST 800-53 Rev 5

  • SI-2 (Flaw Remediation): Requires organizations to identify, report, and correct system flaws, with specific timelines for high-severity vulnerabilities. The control explicitly calls for prioritizing flaws based on active exploitation—exactly what CISA's KEV Catalog provides.

  • CM-3 (Configuration Change Control): Mandates emergency change procedures for security-related updates. Your change management process must have an expedited path for vulnerabilities under active attack.

  • RA-5 (Vulnerability Monitoring and Scanning): Requires continuous vulnerability scanning and remediation tracking. You should have identified CVE-2026-45659 in your environment before CISA's advisory.

ISO/IEC 27001:2022

  • A.8.8 (Management of Technical Vulnerabilities): Requires timely information about technical vulnerabilities, assessment of exposure, and appropriate measures to address the risk. The standard doesn't specify timelines, but "appropriate" for an actively exploited RCE vulnerability means days, not weeks.

PCI DSS v4.0.1

If your SharePoint environment processes, stores, or transmits cardholder data:

  • Requirement 6.3.1: Identifies security vulnerabilities using reputable outside sources and assigns a risk ranking to vulnerabilities. CISA's KEV Catalog is the definition of a reputable source, and active exploitation assigns the highest risk ranking.

  • Requirement 6.3.3: Requires critical security patches to be installed within one month. For vulnerabilities under active exploitation, the expectation is emergency deployment—not the full 30-day window.

SOC 2 Type II

  • CC7.1 (System Monitoring): Requires detection of anomalies that could indicate security events. If attackers exploited this vulnerability in your environment before you patched, your monitoring should have detected the unusual code execution or privilege escalation.

Lessons and Action Items for Your Team

1. Implement KEV-driven patching

Subscribe to CISA's KEV Catalog feed (available as JSON, CSV, and RSS). Build automation that flags any KEV addition affecting your technology stack and triggers your emergency change process. Don't wait for your vulnerability scanner's weekly report—KEV additions require same-day response.

2. Define emergency patch SLAs

Document specific timelines:

  • KEV-listed vulnerabilities: 72 hours maximum
  • Critical vulnerabilities (CVSS 9.0+) not yet exploited: 7 days
  • High vulnerabilities (CVSS 7.0-8.9): 30 days

Your change management board must approve these SLAs and the authority to bypass standard approval processes when they apply.

3. Map your SharePoint footprint

If you can't answer "how many SharePoint servers are we running and where?" in under five minutes, fix your CMDB. Include:

  • On-premises SharePoint Server installations
  • SharePoint Online tenants (usually patched automatically, but verify)
  • Third-party hosted SharePoint environments
  • Development and test instances (attackers don't skip these)

4. Review SharePoint access controls

Audit who has access to your SharePoint environments. The "low privileges required" attack vector means any authenticated user is a potential threat. Implement:

  • Regular access reviews (quarterly minimum)
  • Automated deprovisioning when employees change roles
  • Separate service accounts for SharePoint administration
  • Multi-factor authentication for all SharePoint access

5. Deploy detection for SharePoint exploitation

Configure logging for:

  • Authentication events (successful and failed)
  • Privilege escalation attempts
  • Unusual process execution from SharePoint service accounts
  • File system changes in SharePoint directories
  • Network connections from SharePoint servers to unexpected destinations

Forward these logs to your SIEM or logging platform with alerting rules for anomalies.

6. Test your incident response

Run a tabletop exercise: "CISA adds one of our core platforms to the KEV Catalog on Friday afternoon. Walk through your response." If the answer involves waiting until Monday or scheduling a change board meeting, you have a process problem that will get you breached.

The SharePoint RCE vulnerability isn't unique—it's a pattern. Attackers target widely deployed enterprise platforms because the blast radius is enormous. Your vulnerability management program must assume that any critical vulnerability in your core infrastructure will be exploited, and your response timeline must reflect that reality.

Topics:Incident

You Might Also Like