NewsSecurity

SharePoint CVE-2026-45659: Active RCE — Patch Now

SharePoint CVE-2026-45659 RCE active exploitation - Storm-2603 ransomware threat

Microsoft rated exploitation of CVE-2026-45659 as “Less Likely” when it shipped the patch in May 2026. Six weeks later, CISA added it to the Known Exploited Vulnerabilities catalog — confirming active, in-the-wild exploitation. If your organization runs on-premises SharePoint and has not applied the May 2026 cumulative update, you are exposed to an authenticated remote code execution flaw that ransomware operators are actively weaponizing right now.

What CVE-2026-45659 Actually Is

The vulnerability stems from unsafe deserialization of untrusted data (CWE-502) in Microsoft SharePoint Server. An attacker submits a crafted payload to a SharePoint endpoint; the server deserializes it without proper validation; arbitrary code executes in the context of the IIS worker process. CVSS score: 8.8. Attack complexity: Low.

Affected versions:

  • SharePoint Enterprise Server 2016
  • SharePoint Server 2019
  • SharePoint Server Subscription Edition

SharePoint Online (Microsoft 365) is not affected. If your organization is fully on cloud SharePoint, you can stop reading. Everyone else: keep going.

Storm-2603 Is Already Inside Unpatched Farms

CISA’s KEV listing is not precautionary — it reflects confirmed exploitation. The threat actor most closely associated with this activity is Storm-2603, a suspected China-based group that blends financial ransomware operations with state-sponsored espionage targeting.

Storm-2603 has been exploiting on-premises SharePoint since mid-2025. Their campaigns compromised over 400 SharePoint servers across 300+ organizations, including U.S. federal agencies. They deploy Warlock ransomware — distributed via GPO modification for mass rollout — alongside LockBit Black variants.

The post-exploitation toolkit is built to stay hidden: Velociraptor (a legitimate DFIR tool repurposed for attacker persistence), Cloudflare Tunnels for C2 that bypasses perimeter firewalls, Zoho Assist for remote access, and SSH tunnels via Visual Studio Code. By the time you see ransomware, the group has typically been resident for weeks.

“Authenticated” Does Not Mean “Protected”

The authentication requirement tempts security teams to deprioritize this flaw. That is a mistake. Exploitation requires only a Site Member account — the default permission level for most employees, contractors, and service identities in enterprise SharePoint deployments.

Getting valid credentials is not a significant barrier. Attackers reach the authentication precondition through phishing, password spraying against Active Directory, stale contractor accounts that were never deprovisioned, or credentials harvested from a compromised endpoint elsewhere in the network. The authentication check is a speed bump, not a gate.

This is also the third time in twelve months that Microsoft has rated a SharePoint vulnerability “Exploitation Less Likely” and been proven wrong. The 2025 ToolShell chain (CVE-2025-49704, CVE-2025-49706) followed the same arc. At some point, this rating stops being useful information.

Patch Now: Exact Build Numbers and KB Articles

Apply the May 2026 cumulative updates. Here are the exact KB articles and target build versions:

  • SharePoint Server Subscription Edition: KB5002863 — build 16.0.19725.20280
  • SharePoint Server 2019: KB5002870 — build 16.0.10417.20128
  • SharePoint Enterprise Server 2016: KB5002868 — build 16.0.5552.1002

Verify your farm’s actual build version after applying — do not rely on Windows Update history alone:

Get-SPFarm | Select-Object BuildVersion
Get-SPProduct -Local | Format-List ProductName, PatchableUnitDisplayName, PatchableUnitVersion

After patching each server, run the SharePoint Products Configuration Wizard (start with the application server, then each web front-end). Then run iisreset /restart on each WFE. Skipping the wizard leaves the farm in a partially patched state.

Beyond the Patch: What Else You Need to Do

A CISA KEV-listed vulnerability demands more than a patch ticket.

Audit Site Member groups. Remove stale accounts — former contractors, ex-employees, service identities with broader permissions than needed. Every unnecessary account is a potential entry point.

Enforce MFA. Authentication requirements only matter if compromised passwords alone cannot satisfy them.

Hunt for indicators of prior compromise. Monitor for w3wp.exe spawning cmd.exe, PowerShell, or certutil. Search SharePoint directories for newly created .aspx or .ashx files. If you find anything suspicious, rotate ASP.NET machine keys immediately — Storm-2603 steals them for token forgery.

Stop exposing SharePoint directly to the internet. Place it behind a reverse proxy with an authentication gateway. Most exploitation of on-premises SharePoint begins with internet-facing servers.

Stop Treating “Less Likely” as a Patching Policy

Microsoft’s exploitability index exists to help teams prioritize. Treating it as a gating criterion for patching a CVSS 8.8 deserialization RCE on internet-facing infrastructure is a risk calculation that rarely ends well. As Help Net Security noted at original disclosure: SharePoint servers hold sensitive company data and are usually accessible from the internet — a combination that makes them permanent high-value targets.

Patches give attackers a reverse-engineering roadmap. Low attack complexity means exploit development is fast. KEV listings happen after exploitation is confirmed, not before. If you are waiting for a KEV listing to schedule a patch for CVSS 8+ SharePoint vulnerabilities, you are already reacting rather than preventing.

Patch this week. Verify the build. Audit the accounts. And stop treating Microsoft’s exploitability index as a substitute for a patching policy.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News