Skip to main content
SharePoint RCE Under Active Exploit: CVE-2026-45659Incident
4 min readFor Security Engineers

SharePoint RCE Under Active Exploit: CVE-2026-45659

What Happened

Microsoft SharePoint Server contains a deserialization vulnerability (CVE-2026-45659, CVSS 8.8) that allows authenticated attackers to execute arbitrary code remotely. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog after confirming active exploitation. Microsoft released patches, but threat actors—including Storm-2603—continue targeting unpatched systems. Federal agencies face a July 4, 2026 remediation deadline.

The vulnerability exists in SharePoint's deserialization logic, where the server processes serialized objects from user input without proper validation. An authenticated attacker can craft malicious serialized data that executes code with SharePoint service account privileges.

Timeline

Initial disclosure: Microsoft published the vulnerability details and patches as part of its regular security update cycle.

Active exploitation confirmed: Security researchers and Microsoft's threat intelligence teams observed Storm-2603 exploiting the vulnerability against SharePoint servers exposed to the internet.

CISA KEV addition: Following exploitation evidence, CISA added CVE-2026-45659 to the Known Exploited Vulnerabilities catalog.

Federal deadline set: CISA mandated federal agencies patch affected systems by July 4, 2026.

Ongoing activity: Exploitation attempts continue against unpatched SharePoint instances.

Which Controls Failed or Were Missing

Deserialization input validation: The affected SharePoint servers did not properly validate serialized objects before processing them. This is a classic untrusted data problem—the application accepted complex data structures from authenticated users without verifying their safety.

Patch management cadence: Organizations still running vulnerable versions weeks after patch availability failed to maintain an effective vulnerability management program. The gap between patch release and patch application created an exploitation window.

Network segmentation: Many exploited SharePoint servers were directly accessible from the internet. SharePoint typically hosts sensitive internal documents and should be behind authentication gateways and network controls, not on the perimeter.

Authentication boundaries: While this vulnerability requires authentication, the exploitation by Storm-2603 suggests compromised credentials or weak authentication controls allowed initial access. The vulnerability then provided privilege escalation.

Detection capabilities: Organizations that lacked monitoring for deserialization attacks or unusual SharePoint process behavior missed early exploitation indicators. Deserialization exploits often generate distinctive patterns—unexpected process spawning, unusual network connections from SharePoint worker processes, or abnormal memory allocation.

What the Standards Require

NIST 800-53 Rev 5 addresses these failures directly:

  • SI-2 (Flaw Remediation) requires organizations to install security-relevant software updates within defined timeframes based on vendor severity ratings. An 8.8 CVSS score with active exploitation demands emergency patching—typically 72 hours or less.

  • SI-10 (Information Input Validation) mandates that applications verify the validity of information inputs, including serialized objects. SharePoint's deserialization flaw is precisely what this control prevents.

  • SC-7 (Boundary Protection) requires network segmentation and controlled interfaces between security domains. Internal collaboration tools like SharePoint should not be directly internet-accessible.

PCI DSS v4.0.1 requires similar controls for any system processing cardholder data:

  • Requirement 6.3.1 mandates security patches for critical or high-severity vulnerabilities within one month of release. Active exploitation should trigger emergency change procedures.

  • Requirement 6.4.2 requires protecting applications from attacks through input validation, particularly for injection attacks. Deserialization vulnerabilities fall into this category.

ISO/IEC 27001:2022 Control A.8.8 (Management of Technical Vulnerabilities) requires organizations to obtain timely information about technical vulnerabilities, evaluate exposure, and take appropriate measures. The CISA KEV listing is exactly the kind of authoritative vulnerability information this control references.

Lessons and Action Items for Your Team

Inventory your SharePoint deployment: Document every SharePoint server, its version, patch level, and network location. Include SharePoint Online instances and hybrid configurations. You cannot patch what you do not know exists.

Implement emergency patching procedures: Define what triggers emergency patching (CISA KEV addition qualifies), who approves it, and how quickly you execute. Your standard change control may be too slow for actively exploited vulnerabilities. Document the exception process now.

Audit deserialization attack surface: Review all applications that deserialize user-supplied data. This includes not just SharePoint but custom applications, API endpoints, and message queue consumers. Languages like Java (.NET is SharePoint's platform), Python, and PHP all have deserialization vulnerabilities if implemented incorrectly.

Restrict SharePoint network exposure: Move internet-facing SharePoint servers behind reverse proxies or VPN gateways. If external access is required, implement zero-trust network access (ZTNA) rather than direct exposure. Review firewall rules quarterly to ensure SharePoint servers remain internal.

Enhance authentication controls: Implement multi-factor authentication for all SharePoint access, especially administrative accounts. Review and rotate service account credentials. Monitor for credential stuffing attempts against SharePoint login endpoints.

Deploy deserialization-specific detection: Configure your SIEM or EDR to alert on:

  • Unexpected child processes spawned by SharePoint worker processes
  • Network connections from SharePoint to external IPs
  • PowerShell execution from SharePoint service accounts
  • File writes to unusual directories from SharePoint processes

Test your detection: After patching, run a controlled deserialization exploit against a test SharePoint instance. Verify your monitoring tools generate alerts. If they do not, tune your detection rules.

Establish CISA KEV monitoring: Automate daily checks of the CISA KEV catalog. When a vulnerability affecting your environment appears, trigger your emergency response process. The catalog is machine-readable JSON—write a script to compare it against your asset inventory.

Document the Storm-2603 TTPs: Study the specific tactics this threat actor used. Understanding their post-exploitation behavior helps you detect similar intrusions even if the initial vulnerability differs. Threat actor patterns persist across different exploits.

The SharePoint vulnerability demonstrates why vulnerability management cannot be a monthly process. When CISA adds an item to the KEV catalog, exploitation is not theoretical—it is happening. Your patch window is measured in days, not weeks.

CISA Known Exploited Vulnerabilities

Topics:Incident

You Might Also Like