NewsSecurity

SharePoint CVE-2026-45659: Patch Before July 4

SharePoint Server vulnerability CVE-2026-45659 CISA KEV patch warning

CISA added Microsoft SharePoint Server’s CVE-2026-45659 to its Known Exploited Vulnerabilities catalog on July 1. Federal agencies have until July 4 to patch. The uncomfortable detail: Microsoft had labelled this vulnerability “Exploitation Less Likely” when it shipped the fix in May. That assessment is now officially wrong — and this is the second SharePoint RCE this year where Microsoft’s exploitability rating turned out to be optimistic. If you operate SharePoint Server on-premises, stop trusting the vendor’s risk label and check your build version today.

What CVE-2026-45659 Actually Is

CVE-2026-45659 is a deserialization vulnerability in the SharePoint Server list item handling path. The LosFormatter.Deserialize() method in Microsoft.SharePoint.Library processes attacker-supplied data without adequate validation, allowing an adversary to instantiate arbitrary objects and reach remote code execution. The CISA KEV catalog confirms this is now being exploited in the wild, with a CVSS score of 8.8 and full confidentiality, integrity, and availability impact.

What makes CVE-2026-45659 particularly dangerous in practice is the low barrier to exploitation. An attacker needs only a valid SharePoint account — Site Member permissions or equivalent — and network access to the server. No admin rights. No user interaction required. Once inside, the attacker runs code as the SharePoint service account, which in most enterprise environments has Active Directory access, database connections, and a path into the wider corporate intranet.

Affected Versions and Fixed Builds

The vulnerability affects all three supported on-premises versions of SharePoint Server. Verify your installed build against these fixed versions:

  • SharePoint Server Subscription Edition — Fixed build: 16.0.19725.20280
  • SharePoint Server 2019 — Fixed build: 16.0.10417.20128
  • SharePoint Enterprise Server 2016 — Fixed build: 16.0.5552.1002

If you are running anything earlier, you are exposed. According to Help Net Security, organizations that installed the May 2026 Patch Tuesday updates do not need a separate patch — the fix was included, though it was inadvertently omitted from Microsoft’s release notes at the time.

The Pattern Microsoft Needs to Explain

This is not an isolated miscalculation. In January 2026, Microsoft patched CVE-2026-20963, another SharePoint Server RCE, and also rated it “Exploitation Less Likely.” That CVE was subsequently confirmed exploited and added to the KEV list. Now, five months later, the same sequence has played out with CVE-2026-45659.

The Register’s headline from July 2 put it plainly: “Microsoft said exploitation was ‘less likely’ … but CISA just added SharePoint RCE to KEV list.” There is a legitimate question about whether Microsoft’s Exploitability Index is producing accurate forecasts for its SharePoint products, or whether the methodology underweights how quickly authenticated attackers operationalize deserialization bugs. Either way, the practical takeaway is clear: for SharePoint on-premises CVEs, treat “Exploitation Less Likely” as a starting point for your own risk assessment, not a conclusion.

How to Patch Correctly — SharePoint Is Not a Normal App

Applying this patch is not simply running Windows Update and rebooting. SharePoint has a two-step process that catches administrators off guard:

  1. Install the binary update — Apply the May 2026 Cumulative Update or Security Update via Windows Update or the Microsoft Update Catalog.
  2. Run the SharePoint Products Configuration Wizard — This step is mandatory. Skipping it leaves the farm in an intermediate state where the patch is installed but not applied to the SharePoint configuration database. Many administrators believe they are patched when they are not.

If you operate a multi-server farm, every web front end and application server in the farm needs both steps completed. A single unpatched node preserves the attack surface even after the rest of the farm is patched.

How to Verify You Are Protected

After patching, confirm your build number matches the fixed versions above. Check from SharePoint Central Administration under Manage Servers in this Farm, or query the server build string directly.

For detection, review your SharePoint ULS (Unified Logging Service) logs for unusual deserialization exceptions, unexpected object activation errors, or authenticated requests hitting unusual endpoints. BleepingComputer reports that Tenable, Rapid7, and other major scanners now carry CVE-2026-45659 signatures that can validate remediation at scale across a farm. According to Akamai, over 20 percent of observed environments remain exposed — a scanner check before declaring yourself clean is worth the time.

For federal civilian agencies, the July 4 deadline under CISA’s Binding Operational Directive BOD 26-04 is not optional. For everyone else: active exploitation confirmed by CISA is a sufficient reason to treat this with the same urgency.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News