Skip to content
NINTECH
← All insights
Advisory1 July 2026

SharePoint RCE CVE-2026-45659 joins CISA's exploited list

A deserialisation flaw in on-premises SharePoint, patched out-of-band in late May, is now confirmed under active exploitation — with attacks linked to the Warlock ransomware operator Storm-2603.

CISA has added CVE-2026-45659, a remote code execution vulnerability in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities catalogue after confirming exploitation in the wild. The flaw (CVSS 8.8) stems from deserialisation of untrusted data and affects SharePoint Server Subscription Edition, SharePoint Server 2019 and SharePoint Enterprise Server 2016. Microsoft patched it in an out-of-band update in late May 2026.

The bar for exploitation is low. Any authenticated user with as little as Site Member permissions can execute arbitrary code on an unpatched server, with low attack complexity and no user interaction. One set of attacks has been attributed to Storm-2603, a threat actor that has deployed Warlock ransomware via on-premises SharePoint flaws since mid-2025 — so a single phished user account can become full server compromise.

The urgency signal here is unusual: US federal agencies were given just three days to patch under BOD 26-04, with a deadline of 4 July 2026. Three-day KEV deadlines are reserved for flaws being actively weaponised at scale.

If you still run on-premises SharePoint, confirm the late-May out-of-band update is installed on every farm, not just the primary. Audit site membership for stale or over-privileged accounts, and check for unfamiliar web shells or scheduled tasks created since May. Longer term, weigh whether internet-reachable on-prem SharePoint is a risk you still need to carry versus migrating to SharePoint Online.

Source: The Hacker News. Details verified against the source at time of writing — always confirm current patch levels against the vendor's own advisory.

Affected by this? Talk to an engineer.

SharePoint RCE CVE-2026-45659 joins CISA's exploited list — Nintech