threat-wire
CISA Sets July 4 Deadline for SharePoint RCE Flaw
CISA has added a Microsoft SharePoint flaw to its list of vulnerabilities under active attack, giving federal agencies until July 4 to patch it. The bug lets any logged-in user with basic site permissions run code on the server, no admin access needed, and Microsoft already shipped the fix back in May. If you run SharePoint Server on-premises, this is a today problem.
By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read
CISA confirmed on Wednesday that a Microsoft SharePoint Server flaw is under active attack, and gave federal civilian agencies until July 4 to patch it. That's a three-day window for a bug that's been fixable since May.
What the Flaw Does
The vulnerability, tracked as CVE-2026-45659 and scored 8.8 out of 10, is a deserialization of untrusted data bug that lets an authenticated attacker run code remotely on the server. Microsoft says it does not require admin or other elevated privileges: an attacker only needs a minimum of Site Member permissions, meaning any ordinary logged-in account, or one stolen through phishing or credential stuffing, is enough to trigger it.
The bug affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, all on-premises deployments. Microsoft patched it in May 2026, so any unpatched SharePoint Server has had roughly two months of public exposure. SharePoint Online, the Microsoft 365 cloud version, is not affected.
Deserialization bugs like this one are dangerous because of what they skip. Normally, a server checks data against strict rules before acting on it. Deserialization takes a stored object, in this case something SharePoint saved earlier, and rebuilds it directly into working code without that check. If an attacker can control what gets rebuilt, they control what runs. That is why CVE-2026-45659 does not need an exploit chain or a clever bypass; it needs an account with basic site access and a crafted piece of data.
Who's Behind It, and Why It Matters Now
Microsoft has not said who is exploiting the flaw or what the end goal is. Its own advisory rates exploitation as "Exploitation Less Likely," which makes CISA's active-exploitation confirmation notable: something is happening in the wild that Microsoft's own risk model didn't anticipate.
On-premises SharePoint has had a rough year. Late last month, Microsoft disclosed that a routine ransomware investigation turned up two unrelated attackers operating inside the same network at once, one of them Storm-2603, a group that has repeatedly targeted SharePoint since mid-2025 to deploy Warlock ransomware. That earlier intrusion used a different flaw, in Gladinet Triofox, to get in, then moved through the network with legitimate-looking tools like Velociraptor and SSH tunnels configured through Visual Studio Code, while a vulnerable signed driver was used to tamper with endpoint security software and cut visibility. A single patched hole rarely means a network is clean.
Check Your Exposure Today
- Confirm your SharePoint Server build number reflects the May 2026 security update for CVE-2026-45659, checked via Central Administration or Windows Update history
- If you're still unpatched, treat any account with Site Member access or higher as a possible entry point, not just admin accounts
- Review SharePoint audit logs for unexpected code execution, unfamiliar service accounts, or new local or domain admin accounts created in the past two months
- Even after patching, check for lingering backdoors from earlier intrusions: unfamiliar SSH tunnels, unexpected Cloudflare tunnel configs, or remote-access tools you didn't install
- Audit which staff, contractors, or partner accounts hold Site Member permissions or higher; that low bar is the whole attack surface for this flaw
Federal agencies must comply by July 4; everyone else should treat that deadline as a floor, not a ceiling. A bug that's cheap to trigger and has been patchable for two months is exactly the kind of gap ransomware crews go looking for.