SharePoint RCE CVE-2026-45659 Under Active Exploitation — Patch Now
What Happened
CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday — a high-severity remote code execution flaw in Microsoft SharePoint Server. CISA's KEV listing is not precautionary: it signals confirmed, ongoing exploitation in the wild. The vulnerability enables an attacker to execute arbitrary code remotely on the SharePoint server, giving a successful attacker process-level access and a foothold inside the network perimeter.
Full technical details remain limited, but high-severity SharePoint RCEs have historically been exploited via crafted HTTP requests against the web front-end — in some cases without valid credentials.
Why It Matters
SharePoint Server is load-bearing infrastructure in most enterprise environments: document management, intranets, workflow automation, and integration pipelines all commonly run through it. A compromised SharePoint instance is rarely isolated. It typically has access to Active Directory, internal file shares, and often holds OAuth tokens or service account credentials that open lateral movement paths through the rest of the network.
The CISA KEV listing carries a hard remediation deadline for U.S. federal civilian agencies (typically three weeks), but the practical signal for any organization is the same: this is not a "patch next cycle" situation. Threat actors are actively scanning for and exploiting this vulnerability right now.
RCE flaws in SharePoint have a well-documented track record of rapid weaponization. CVE-2019-0604 and the ProxyLogon-adjacent SharePoint vulnerabilities in 2021 were both picked up by ransomware groups and nation-state actors within days of public disclosure. CVE-2026-45659 has already passed that threshold — exploitation is confirmed before most organizations have had a chance to respond.
What to Do
Patch immediately. Apply Microsoft's security update for CVE-2026-45659. Check the Microsoft Security Update Guide for the specific KB article and affected SharePoint versions. If automatic updates are enabled, confirm the patch was successfully applied — do not assume.
Audit your exposure. Internet-facing SharePoint installations — extranets, partner portals, hybrid SharePoint/OneDrive setups — carry elevated risk. Internal-only instances are not safe if your perimeter is the only control layer.
Hunt for indicators of compromise. Review IIS and ULS logs on SharePoint web front-end servers for unusual POST requests, unexpected process lineage (w3wp.exe spawning cmd.exe or powershell.exe), and new scheduled tasks or services created in the past two weeks. Pull logs directly from WFE servers if centralized logging is not in place.
Isolate if you cannot patch immediately. If change control or testing requirements block an emergency patch, restrict network access to the SharePoint server at the firewall or load-balancer level — particularly from untrusted or internet-adjacent segments — until the patch is applied. This is a stopgap, not a fix.
Verify EDR coverage on SharePoint servers. Confirm your endpoint detection tooling is deployed and active on every SharePoint front-end. Process injection and unusual child process creation from w3wp.exe are the primary behavioral signals to alert on.
The gap between a CISA KEV listing and widespread opportunistic exploitation is measured in hours, not days. Act today.
Synthesized by Claude · sanity-checked before publish.