SharePoint RCE CVE-2026-45659: Patch Before the July 4 Deadline

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Storm-2603 is actively deploying Warlock ransomware against on-premises SharePoint Server environments by exploiting CVE-2026-45659, a CVSS 8.8 remote code execution flaw that any authenticated user can trigger — and CISA's patch deadline for federal agencies expires July 4, 2026. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog on July 2, confirming that active exploitation is underway across real organizations right now.
CVE-2026-45659 is a deserialization of untrusted data vulnerability (CWE-502) affecting SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. An attacker who holds only Site Member permissions — the standard access level for most employees on an enterprise SharePoint farm — can send a crafted HTTP request that triggers unsafe object deserialization, resulting in remote code execution under the web application's identity. Microsoft patched the flaw on May 12, 2026, in KB5002863, KB5002870, and KB5002868. The 52 days between patch availability and CISA's KEV addition means many organizations have been running open exposure throughout June.
This is the gap to close before the July 4 holiday weekend. Skeleton IT staffing, delayed alert response, and slower emergency change management make holiday weekends the preferred ransomware deployment window. Storm-2603 has been observed running parallel intrusions simultaneously across multiple victim environments, deploying Velociraptor for stealthy persistence and chaining Cloudflare tunnels, Zoho Assist sessions, and SSH channels through Visual Studio Code to maintain access even after partial remediation. If your SharePoint farm has not been patched to the May 2026 build, treat this as a patching emergency before close of business today.
How Does SharePoint RCE CVE-2026-45659 Work?
CVE-2026-45659 exploits a fundamental flaw in how on-premises SharePoint Server handles deserialization. Deserialization is the process of reconstructing an object from stored or transmitted data. When SharePoint processes user-supplied data without validating its type or integrity, an attacker can craft a malicious payload that, when deserialized by the server, executes arbitrary code under the IIS worker process identity.
The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and carries a CVSS 8.8 rating with low attack complexity. No elevated privileges are required. Any user holding Site Member permissions — the default access tier for most business users in enterprise SharePoint environments — can trigger the exploit. The attack vector is network-based: exploitation can originate from inside the corporate network or from any internet-exposed SharePoint front-end server.
Microsoft initially assessed CVE-2026-45659 as "exploitation less likely" in its May 2026 advisory. CISA's KEV addition on July 2 directly refuted that assessment with evidence of active in-the-wild exploitation by Storm-2603. The specific technical exploitation chain has not been publicly disclosed, but defenders must not wait for a working proof-of-concept to appear before patching.
Detection at the server level focuses on anomalous process trees. Monitor for w3wp.exe spawning cmd.exe, powershell.exe, or scripting engines on SharePoint servers. Review IIS logs on all front-end servers for unusual POST requests to /_layouts/ paths. Search web-accessible SharePoint directories for unauthorized ASPX files, which may represent web shells planted by attackers who have already exploited the vulnerability in your environment.
Which SharePoint Versions Are Affected by CVE-2026-45659?
Three on-premises SharePoint Server product lines are vulnerable to CVE-2026-45659. All three received patches in Microsoft's May 12, 2026 security update cycle. SharePoint Online (Microsoft 365) is not affected — this vulnerability is exclusive to on-premises deployments.
SharePoint Enterprise Server 2016 below build 16.0.5552.1002 (KB5002868) is vulnerable. SharePoint Server 2019 below build 16.0.10417.20128 (KB5002870) is vulnerable. SharePoint Server Subscription Edition below build 16.0.19725.20280 (KB5002863) is vulnerable.
Verify your farm's current build in the SharePoint Management Shell:
(Get-SPFarm).BuildVersion
For multi-server farms, collect build versions across all servers simultaneously:
$servers = @("sp-wfe-01","sp-wfe-02","sp-app-01")
Invoke-Command -ComputerName $servers -ScriptBlock {
$farm = Get-SPFarm
[PSCustomObject]@{
Server = $env:COMPUTERNAME
FarmBuild = $farm.BuildVersion.ToString()
}
}
Any server returning a build number below the fixed thresholds is actively vulnerable. Run this check across every server in every SharePoint farm your organization operates, including disaster recovery environments and development farms that may be connected to production networks. A single unpatched server in a multi-server farm can serve as the attacker's entry point across the entire environment.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Storm-2603 and Warlock Ransomware: Who Is Actively Exploiting SharePoint
Storm-2603 is a Microsoft-tracked threat actor that has been deploying Warlock ransomware against on-premises SharePoint Server environments since mid-2025. Warlock is a ransomware strain targeting organizations running legacy or unpatched SharePoint farms, and Storm-2603 exploits known SharePoint vulnerabilities to gain initial access rather than relying on phishing campaigns. This technical initial-access approach means standard email security controls offer no protection against this group.
In at least one documented intrusion, a routine ransomware investigation uncovered two completely unrelated attacker groups operating simultaneously inside the same compromised network. Both groups had exploited unpatched SharePoint servers to gain access. The presence of two independent attackers in a single environment points to opportunistic mass-scanning activity rather than narrow targeted campaigns. Storm-2603 is sweeping the internet for every unpatched SharePoint server it can reach.
After achieving code execution via CVE-2026-45659, Storm-2603 deploys Velociraptor, a legitimate open-source endpoint agent, to blend malicious activity with trusted administrative tooling. The group then establishes at least three redundant persistence channels: Cloudflare tunneling, Zoho Assist remote access sessions, and SSH connections routed through Visual Studio Code. This redundancy is deliberate. An incident responder who removes one channel while the others remain intact has not evicted the attacker. Full remediation requires identifying and removing all three persistence mechanisms before declaring the environment clean.
Storm-2603 has also been observed chaining CVE-2025-11371, a critical Gladinet Triofox flaw (CVSS 9.1), as an alternate initial access vector in the same intrusion campaigns. Organizations running Gladinet Triofox alongside SharePoint should treat both vulnerabilities as active targets.
“A routine ransomware investigation uncovered two unrelated attackers operating simultaneously within the same network, both having exploited unpatched on-premises SharePoint servers.”
Microsoft Security Blog, July 2026
Indicators of Compromise: What to Hunt on SharePoint Servers
Storm-2603 relies heavily on legitimate remote administration tools, which makes detection harder than scanning for dedicated malware signatures. Defenders should hunt for the following behavioral indicators and artifacts across all SharePoint servers and adjacent infrastructure.
Check Windows Security event logs for authenticated logons to SharePoint servers from unexpected source IPs or at hours outside normal business operations. Review IIS logs on all SharePoint front-end servers for POST requests to /_layouts/ paths, particularly requests followed by unusual child process activity from w3wp.exe.
Audit for unauthorized Cloudflare Tunnel installations (cloudflared) on SharePoint servers and adjacent systems. Cloudflare Tunnel is a legitimate product, but unauthorized deployments on dedicated SharePoint web front-ends represent a persistence mechanism. Similarly, hunt for Zoho Assist agent installations on SharePoint servers — this remote access tool should not be present on servers without explicit IT authorization and a corresponding ticket.
Search for Visual Studio Code Server installations (code-server, .vscode-server) on SharePoint servers. Storm-2603 uses VS Code's built-in SSH tunneling capability to maintain access. This is especially difficult to detect because VS Code is a standard developer tool that may have legitimate uses on some servers.
The DHS HSIN breach investigation highlighted how attackers using legitimate remote access tools in SharePoint environments maintained dwell times of weeks before detection. Organizations that have not audited for these tools since June 1, 2026 should treat the audit as urgent.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
How to Patch SharePoint Server CVE-2026-45659 Before the Deadline
The SharePoint CVE-2026-45659 patch has been available since May 12, 2026. The only complete fix is applying the May 2026 cumulative updates. No workaround or interim configuration change fully blocks exploitation through this deserialization flaw.
Patching a multi-server SharePoint farm requires applying the update in the correct sequence. Start with the application server, then patch each front-end web server. After patching every server, run the SharePoint Products Configuration Wizard on each server in the farm. Skipping the post-patch wizard leaves the farm in an inconsistent state that can cause service instability and may not fully apply the security changes.
If immediate patching is blocked by a change-freeze window, apply these interim controls while waiting for an emergency change approval: restrict SharePoint site membership to verified, actively required users, removing any account that should not hold Site Member or higher permissions. Block direct internet-facing access to SharePoint servers that do not require external exposure. Enable enhanced IIS logging to capture POST request bodies on all front-end servers.
Post-patch, rotate service account passwords for all SharePoint-associated accounts regardless of whether compromise is suspected. Restart IIS on all front-end servers. Conduct a full audit for unauthorized ASPX files in web root directories, unauthorized Cloudflare Tunnel or Zoho Assist installations, and any Visual Studio Code Server deployments on SharePoint infrastructure. The patch closes the initial exploitation path but does not evict an attacker who has already established persistence.
Review CISA's June 2026 patch deadline guidance for context on how the KEV program prioritizes remediation timelines for actively exploited vulnerabilities across the federal and private sectors.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why SharePoint RCE CVE-2026-45659 Is This Weekend's Critical Gap
Holiday weekends are the ransomware operator's preferred deployment window. Skeleton IT staffing, delayed alert response times, and slower emergency change management mean ransomware launched Friday afternoon can encrypt and exfiltrate across an entire SharePoint farm before business resumes Tuesday morning. Storm-2603's confirmed pattern of simultaneously exploiting multiple victim environments signals it will target unpatched farms during the July 4 holiday.
The CISA KEV deadline of July 4, 2026 exists precisely because of this threat model. Federal agencies under Binding Operational Directive 26-04 are legally required to patch CVE-2026-45659 by midnight Saturday. Private-sector organizations are not bound by the directive but should treat it as a professional benchmark: CISA only adds vulnerabilities to the KEV catalog when it has evidence of confirmed real-world exploitation, not theoretical risk.
Microsoft's original "exploitation less likely" assessment has been overtaken by events. The lag between that May assessment and CISA's July 2 KEV addition reflects the time required to gather exploitation evidence across multiple victim environments — not an absence of risk during that window. CVE-2026-45659 has been actively exploited by a ransomware group that has already hit organizations using the same SharePoint vulnerability class.
The 52 days between patch availability and KEV confirmation represent exactly the exploitation window Storm-2603 used. Every additional day of unpatched exposure extends that window further. Close this gap before the holiday weekend begins. Any SharePoint Server Subscription Edition, 2019, or 2016 deployment below the May 2026 build threshold is an open door to Warlock ransomware with skeleton incident response on the other side.
The bottom line
SharePoint RCE CVE-2026-45659 carries a CVSS 8.8 score and requires only Site Member permissions to exploit, putting hundreds of standard employee accounts in scope as potential attacker proxies. Storm-2603 is actively deploying Warlock ransomware against unpatched SharePoint farms and uses Cloudflare tunnels, Zoho Assist, and VS Code SSH sessions for persistence that survives single-tool eviction. CISA's remediation deadline is July 4, 2026. Verify your farm build today using Get-SPFarm BuildVersion, apply KB5002863, KB5002870, or KB5002868, and audit every SharePoint server for unauthorized remote-access tooling before the holiday weekend begins.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2026-45659 in Microsoft SharePoint?
CVE-2026-45659 is a remote code execution vulnerability in on-premises Microsoft SharePoint Server caused by unsafe deserialization of untrusted data (CWE-502). Any authenticated user holding minimum Site Member permissions can send a crafted HTTP request that triggers the flaw, resulting in code execution under the IIS worker process identity. Microsoft patched it on May 12, 2026, and CISA added it to its Known Exploited Vulnerabilities catalog on July 2, 2026, confirming active in-the-wild exploitation.
Is CVE-2026-45659 actively exploited in the wild?
Yes. CISA confirmed active exploitation when it added CVE-2026-45659 to the KEV catalog on July 2, 2026. The threat actor Storm-2603 is exploiting unpatched SharePoint servers to deploy Warlock ransomware. A documented incident revealed two separate attacker groups operating simultaneously inside the same compromised network, both having gained access through unpatched SharePoint vulnerabilities, suggesting widespread opportunistic scanning activity.
What permissions does an attacker need to exploit CVE-2026-45659?
An attacker needs only Site Member permissions, the lowest authenticated SharePoint access level above anonymous users. Site Member access is standard for most business users across enterprise SharePoint environments, meaning a compromised employee account or any malicious insider with normal access is sufficient to trigger exploitation. No administrative or elevated privileges are required, which significantly expands the pool of potential attackers.
Which SharePoint versions are affected by CVE-2026-45659?
Three on-premises SharePoint products are affected: SharePoint Server Subscription Edition below build 16.0.19725.20280, SharePoint Server 2019 below build 16.0.10417.20128, and SharePoint Enterprise Server 2016 below build 16.0.5552.1002. SharePoint Online (Microsoft 365) is not affected. All three received patches in the May 12, 2026 security update release. Organizations running Microsoft 365 do not need to take action for this specific vulnerability.
How do I check if my SharePoint Server is patched for CVE-2026-45659?
Open the SharePoint Management Shell and run `(Get-SPFarm).BuildVersion`. Compare the returned build against the fixed thresholds: Subscription Edition must be at or above 16.0.19725.20280, SharePoint Server 2019 must be at or above 16.0.10417.20128, and SharePoint Enterprise Server 2016 must be at or above 16.0.5552.1002. For multi-server farms, run the check across all servers using Invoke-Command to ensure no individual host is running an unpatched build.
What does Storm-2603 do after exploiting a SharePoint server?
After achieving remote code execution via SharePoint vulnerabilities, Storm-2603 deploys Velociraptor, a legitimate open-source endpoint agent, to blend malicious activity with trusted administrative tooling. The group establishes three redundant persistence channels: Cloudflare Tunnel, Zoho Assist remote sessions, and SSH connections routed through Visual Studio Code. This redundancy means incident responders must identify and remove all three mechanisms before the attacker is fully evicted. Storm-2603 ultimately deploys Warlock ransomware as the final-stage payload.
What is Warlock ransomware?
Warlock is a ransomware strain deployed by Storm-2603 specifically against organizations running unpatched on-premises SharePoint Server. Like most modern ransomware, Warlock combines file encryption with data exfiltration, applying double-extortion pressure on victims. Unlike commodity ransomware distributed through phishing, Warlock arrives after server-side technical exploitation, meaning standard email security controls provide no protection against this delivery path. Storm-2603 has been deploying Warlock against SharePoint targets since mid-2025.
Can I temporarily mitigate CVE-2026-45659 without patching?
Temporary mitigations reduce exposure but cannot fully block exploitation. Restrict SharePoint site membership to verified, actively required users, removing any accounts that should not hold Site Member or higher permissions. Block direct internet-facing access to SharePoint servers that do not require external exposure. Enable enhanced IIS logging on all front-end servers to detect exploitation attempts. These steps narrow the attack surface but are not substitutes for applying the May 2026 cumulative updates. The patch is the only complete fix for CVE-2026-45659.
Sources & references
- CISA Known Exploited Vulnerabilities Catalog
- The Hacker News: SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation
- Penligent AI: CVE-2026-45659 SharePoint RCE Technical Analysis
- Help Net Security: High-Severity SharePoint RCE Bug Patched by Microsoft
- The Register: Microsoft Said Exploitation Was Less Likely But CISA Just Added SharePoint RCE to KEV
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
