NewsJuly 2, 20268 min read
RSS App New Cybersecurity Feed
SharePoint RCE Vulnerability CVE-2026-45659: What IT Teams and Organizations Must Do Now
CISA's addition of the SharePoint remote code execution flaw to its Known Exploited Vulnerabilities catalog signals a threat that extends well beyond U.S. federal agencies — and European organizations running on-premises infrastructure need to act fast.
CISA Flags SharePoint RCE Vulnerability as Actively Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity SharePoint RCE vulnerability — tracked as CVE-2026-45659 — to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed evidence of active exploitation in the wild. The flaw carries a CVSS score of 8.8 out of 10, placing it firmly in the high-severity tier, and it affects three widely deployed versions of Microsoft SharePoint Server: the Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
The vulnerability stems from the deserialization of untrusted data — a class of flaw that security researchers have consistently flagged as among the most dangerous in enterprise software ecosystems. Microsoft addressed the issue in May 2026, but the window between patch release and active exploitation has, once again, proven to be dangerously short. For IT decision makers and privacy professionals overseeing infrastructure in Europe and beyond, the incident is a pointed reminder that on-premises collaboration platforms carry significant, ongoing security obligations.
What makes CVE-2026-45659 particularly alarming is its low barrier to exploitation. According to Microsoft's own advisory, any authenticated attacker with as little as Site Member-level permissions can trigger the vulnerability to execute arbitrary code remotely on the SharePoint Server — no administrator privileges required. In practical terms, this means a compromised employee account, a phishing victim, or even a malicious insider could serve as the entry point for a potentially devastating breach.
Security teams face an increasingly narrow window between patch release and active exploitation for critical enterprise vulnerabilities
Why Deserialization Vulnerabilities Are So Dangerous for Enterprise Platforms
To understand the gravity of CVE-2026-45659, it helps to understand why deserialization vulnerabilities are treated with such urgency by security professionals. Serialization is the process by which software converts data objects into a format that can be stored or transmitted. Deserialization reverses that process. When an application deserializes data without first validating whether it can be trusted, attackers can craft malicious payloads that, once processed by the server, cause it to execute attacker-controlled code.
This attack class has been responsible for some of the most damaging breaches in recent years. The Open Web Application Security Project (OWASP), which publishes widely referenced guidance on application security risks at owasp.org, has long listed insecure deserialization as a top-ten application security risk. In an enterprise collaboration platform like SharePoint — which sits at the center of document management, internal communications, and business workflow for millions of organizations worldwide — such a flaw can be particularly catastrophic, offering attackers a pivot point into broader corporate networks.
Microsoft has tagged the vulnerability with an "Exploitation Less Likely" assessment in its advisory, a classification that may give some administrators false comfort. CISA's decision to add it to the KEV catalog, however, overrides that theoretical assessment with real-world intelligence: the flaw is being exploited, right now, by active threat actors. As BleepingComputer has noted in its coverage of similar KEV additions, the gap between vendor confidence ratings and observed exploitation is a recurring theme in enterprise vulnerability management.
8.8CVSS Score (High Severity)
3SharePoint Versions Affected
July 4FCEB Patch Deadline
9.1CVSS Score of Linked Gladinet Flaw
How Ransomware Groups Are Already Exploiting On-Premises SharePoint Weaknesses
The disclosure of CVE-2026-45659 does not exist in isolation. It arrives alongside a deeply concerning threat intelligence report from Microsoft, which revealed that a routine ransomware investigation had uncovered two entirely separate threat actors operating simultaneously within the same victim network — a scenario that dramatically complicates incident response and attribution.
One of those actors, designated Storm-2603, has been actively deploying Warlock ransomware since mid-2025, with a documented preference for exploiting known vulnerabilities in on-premises SharePoint servers as an initial access vector. In the incident Microsoft described, evidence suggests that initial access may have been obtained not through CVE-2026-45659 itself, but through CVE-2025-11371, a critical flaw with a CVSS score of 9.1 affecting Gladinet Triofox — a third-party file sharing and remote access solution that many organizations use in conjunction with SharePoint environments.
The technical sophistication of Storm-2603's post-exploitation playbook is worth examining in detail, as it illustrates the multi-layered challenge facing security teams. After gaining initial access, the group deployed Velociraptor — a legitimate open-source digital forensics and incident response tool — to blend malicious activity with trusted administrative behavior, making detection significantly harder. They established multiple redundant remote access channels through Cloudflare tunneling, Zoho Assist, and SSH connections configured through Visual Studio Code, ensuring persistence even if individual channels were discovered and closed.
Privilege escalation was achieved by creating new local and domain administrator accounts, while a vulnerable kernel driver ("NSecKrnl.sys") was exploited to tamper with endpoint security protections, effectively blinding defensive tools. According to Microsoft's Security Blog, this combination of known ransomware tactics and deliberately obscured techniques allowed the threat actors to establish "deep and lasting access" across the environment.
"What may appear to be a single ransomware incident can quickly expand into something more complex — spanning organizations, blending tactics, and even involving multiple threat actors operating in parallel. For security teams, the implication is clear: isolated signals rarely tell the full story."
— Microsoft Incident Response Team
The second, unrelated threat actor discovered in the same environment was using DLL side-loading and custom backdoors — techniques that, combined with Storm-2603's activity, created a tangled web of overlapping indicators that made accurate attribution extremely difficult. Investigators confirmed that lateral movement had extended beyond the initially compromised organization into a second company, which had been reached via the same ransomware campaign. The interconnected nature of modern enterprise networks means that a single unpatched SharePoint instance can become a gateway to an entire supply chain of victims.
CVE-2026-45659 in Context: How Does This Flaw Compare to Recent SharePoint Threats?
CVE ID
Affected Product
CVSS Score
Vulnerability Type
Privileges Required
CVE-2026-45659
SharePoint Server (Multiple)
8.8 (High)
Deserialization / RCE
Low (Site Member)
CVE-2025-11371
Gladinet Triofox
9.1 (Critical)
Remote Code Execution
Low
SharePoint has historically been a high-value target for threat actors precisely because of its central role in enterprise data storage and collaboration. Organizations that have delayed migration to SharePoint Online or Microsoft 365 cloud environments — often citing data sovereignty concerns, compliance requirements, or budget constraints — now find themselves managing a compounding risk exposure. Each new on-premises vulnerability extends the attack surface that cloud-based deployments have largely neutralized through Microsoft's centralized patching infrastructure.
This tension is especially relevant for European organizations navigating GDPR obligations. Many IT decision makers and legal teams have historically preferred on-premises SharePoint deployments to maintain tighter control over where data resides and how it is processed, particularly when dealing with sensitive personal data subject to strict transfer restrictions. However, the security trade-offs of maintaining aging on-premises infrastructure are becoming increasingly difficult to justify from a risk management perspective.
What European Organizations and Privacy-Conscious Teams Should Do Right Now
For European IT decision makers, privacy professionals, and small business owners running SharePoint on-premises, the immediate priority is clear: apply Microsoft's May 2026 security patches without delay. CISA has mandated that U.S. Federal Civilian Executive Branch agencies remediate by July 4, 2026, but the active exploitation documented in the KEV catalog makes this a universal priority, regardless of jurisdiction or organization size.
Beyond immediate patching, the SharePoint RCE vulnerability CVE-2026-45659 incident surfaces several broader strategic considerations worth examining:
Audit authenticated user permissions rigorously. Since this vulnerability can be triggered by any user with Site Member-level permissions, organizations should conduct an immediate audit of who has access to SharePoint sites — particularly guest accounts, former employees with lingering access, and third-party contractors. Principle of least privilege is not just a compliance checkbox; it is a meaningful mitigation layer against low-barrier exploits like this one.
Reassess your on-premises vs. cloud posture. For organizations that have been deferring cloud migration decisions, this incident provides concrete evidence of the risk profile associated with maintaining on-premises SharePoint. European alternatives to Microsoft's ecosystem — including open-source document collaboration platforms and European-hosted cloud infrastructure providers — offer viable paths for organizations seeking both security and data sovereignty, as noted by digital rights advocates and tracked by organizations like the European Data Protection Supervisor.
Revisit incident response playbooks for multi-actor scenarios. The Microsoft investigation revealing two simultaneous, unrelated threat actors in the same environment is not an edge case — it is a signal of how complex enterprise breaches have become. Security teams should stress-test their incident response procedures against multi-actor scenarios and ensure that forensic investigation does not stop at identifying the first attacker.
Monitor for indicators associated with Storm-2603. Organizations running on-premises SharePoint should proactively hunt for signs of Warlock ransomware activity, including unusual use of Velociraptor, unexpected Cloudflare tunnel configurations, new local or domain administrator account creation, and anomalous SSH activity originating from Visual Studio Code processes.
Organizations must move beyond patch management to include threat hunting and multi-actor incident response planning
From a GDPR compliance perspective, a successful exploitation of CVE-2026-45659 in a SharePoint environment holding personal data would almost certainly trigger data breach notification obligations under Article 33 of the GDPR. Organizations have