SharePoint Server Actively Exploited: CISA Orders Patch Before Ransomware Actors Strike | #ransomware | #cybercrime


Federal agencies operating on-premises Microsoft SharePoint Server are under a hard patch deadline today — July 4, 2026 — after the U.S. Cybersecurity and Infrastructure Security Agency confirmed on July 1 that attackers are actively exploiting a high-severity remote code execution vulnerability that any ordinary employee, contractor, or partner can trigger with nothing more than standard document-editing credentials. The vulnerability, CVE-2026-45659, was patched by Microsoft in a late-May out-of-band update, but the five-week lag between the patch’s release and CISA’s confirmation of active exploitation means organizations that deferred the update are now racing against adversaries who are already inside some networks.

Microsoft patched the flaw but initially assessed it as “exploitation less likely.” SecurityWeek reported that CISA’s July 1 Known Exploited Vulnerabilities listing reversed that assessment with confirmed evidence that exploitation is underway.

Why Site Member Access Makes Every Employee a Potential Attack Vector

CVE-2026-45659 inverts the normal model of enterprise intrusion. Attackers targeting most enterprise systems must first gain privileged access — a domain administrator account, a service account, or at minimum a foothold on an elevated system. This flaw requires none of that.

According to Microsoft’s advisory, any authenticated user holding a minimum of Site Member permissions can trigger the vulnerability. Site Member is not an elevated role. It is the standard access level granted to employees who collaborate on SharePoint document libraries — staff who need to view, upload, or edit files. In most enterprise SharePoint deployments, Site Member access is distributed broadly: across teams, departments, contractors, and in many cases partner organizations with shared document workspaces. The attack surface for CVE-2026-45659 therefore scales directly with an organization’s normal use of SharePoint as a collaboration platform.

How the Deserialization Flaw Works

The underlying vulnerability is classified as CWE-502, deserialization of untrusted data. When SharePoint transmits or stores structured data, it converts complex objects — document metadata, session state, application configuration — into a flattened byte stream for transit or storage. Deserialization is the reverse: SharePoint receives that byte stream and reconstructs it into working objects the application can act on.

OWASP’s documentation on deserialization vulnerabilities explains the core problem: when an application reconstructs objects from data without sufficiently verifying that the result will be valid, an attacker who controls the input can cause the application to instantiate and execute a malicious object instead of legitimate application data.

That is what CVE-2026-45659 allows. An attacker who sends a specially crafted serialized payload causes SharePoint to reconstruct and execute attacker-controlled code. That code runs inside the SharePoint worker process, w3wp.exe, under the application pool’s service identity. Microsoft confirmed that the attack requires no prior knowledge of the target system and can achieve, in the company’s words, “repeatable success with the payload against the vulnerable component” — meaning once an attacker has working exploit code, they can deploy it reliably at scale against any unpatched SharePoint server they can reach and authenticate to.

Who Is Affected

The vulnerability affects three on-premises SharePoint Server product lines. SharePoint Online — the Microsoft 365 cloud version — is not affected.

ProductVulnerable Below Build
SharePoint Server Subscription Edition16.0.19725.20280
SharePoint Server 201916.0.10417.20128
SharePoint Enterprise Server 201616.0.5552.1002

To check a farm’s current build, run the following in the SharePoint Management Shell:

Get-SPFarm | Select BuildVersion

If the build falls below the thresholds above, the server is actively vulnerable. Administrators running multi-server farms must check every node individually; a single updated web front-end does not protect the farm if other servers remain on a vulnerable build.

How to Apply the Microsoft SharePoint Patch

Microsoft released the fix as an out-of-band update in late May 2026. CVE-2026-45659 was inadvertently omitted from Microsoft’s standard May Patch Tuesday advisory, meaning organizations that rely on the security bulletin to prioritize patching may not have flagged this update as urgent at the time of release. CISA’s July 1 KEV listing makes that prior triage irrelevant: the patch exists and exploitation is confirmed.

The Microsoft Security Response Center advisory for CVE-2026-45659 lists the specific fixes:

  • SharePoint Server Subscription Edition → KB5002863
  • SharePoint Server 2019 → KB5002870
  • SharePoint Enterprise Server 2016 → KB5002868

After applying each update, two additional steps are required on every server in the farm. First, run the SharePoint Products Configuration Wizard on each server — application server first, then each web front-end. The wizard does not run automatically; skipping it leaves the farm in a partially configured state. Second, run iisreset /restart on each web front-end after the wizard completes. Leaving IIS in its pre-patch state on any node preserves a vulnerable endpoint even after the binaries have been updated.

Is the Server Already Compromised?

Organizations that have not applied the May 2026 update should treat patching and compromise assessment as simultaneous, not sequential activities. A successful exploit against CVE-2026-45659 runs attacker-controlled code inside the SharePoint worker process. Defenders should look for the following:

Anomalous process trees: Monitor for w3wp.exe spawning child processes — particularly cmd.exe, powershell.exe, or cscript.exe — on SharePoint servers. This is the most reliable post-exploitation indicator.

Suspicious IIS log entries: Review logs on all web front-end servers for unusual POST requests to /_layouts/ paths, particularly those with unusually large request bodies or content types inconsistent with normal SharePoint operations.

Unauthorized ASPX files: Search web-accessible SharePoint directories for any .aspx files that did not exist before the vulnerability’s disclosure window. Web shells planted through a deserialization exploit typically appear in these locations.

Credential and service account anomalies: Review authentication logs for unexpected logins from service accounts, geographic anomalies, or activity at unusual hours.

Temporary Mitigations for Organizations That Cannot Patch Immediately

Patching is the only complete fix. Organizations whose change management or testing processes prevent immediate deployment should implement the following as temporary risk reduction:

Restrict Site Member access: Review and tighten who holds Site Member permissions. Suspend accounts for contractors, former employees, or partner organizations that no longer require active access.

Network segmentation: Block direct internet access to SharePoint servers where possible. Restrict access to trusted internal networks or authenticated VPN connections.

Web application firewall rules: Deploy rules targeting anomalous POST requests to SharePoint deserialization endpoints.

Rotate service account credentials: Reset passwords for all SharePoint application pool identities, service accounts, and managed accounts regardless of whether a compromise has been identified.

These are stopgaps — not alternatives to the patch.

SharePoint Has Been a Persistent High-Value Target

CVE-2026-45659 arrives in the context of a documented pattern. In April 2026, Microsoft patched a different SharePoint vulnerability exploited as a zero-day. In March 2026, CISA warned of another SharePoint flaw being actively targeted. In July 2025, Chinese-linked nation-state actors Linen Typhoon and Violet Typhoon, alongside the financially motivated ransomware group Storm-2603, exploited a separate critical set of SharePoint vulnerabilities — the ToolShell chain — against more than 150 organizations including government agencies and critical infrastructure operators, according to Resecurity’s reporting. Microsoft’s Security Blog provides detailed analysis of that campaign.

The pattern reflects SharePoint’s structural position inside enterprise networks. A successfully compromised SharePoint server is not a file-storage incident — it is a foothold. The application pool service identity running SharePoint code typically has broad network access: to SQL Server databases, to Active Directory for user provisioning, and in many deployments to service accounts with privileges well beyond the document library. Attackers who achieve code execution on a SharePoint server through CVE-2026-45659 inherit whatever that server can reach — which in most enterprise deployments is considerably more than the documents themselves.

SharePoint Server 2016 Support Ends in Ten Days

Organizations running SharePoint Enterprise Server 2016 face a compounding deadline. Microsoft has confirmed that SharePoint Server 2016 reaches end of extended support on July 14, 2026 — ten days from today. After that date, Microsoft will no longer release security updates for the 2016 product line, meaning any subsequent vulnerability discovered there will remain permanently unpatched on unupgraded deployments.

CISA’s July 4 remediation deadline covers CVE-2026-45659 specifically. The end-of-support deadline is a separate and permanent condition. Organizations still running SharePoint Server 2016 should treat both as simultaneous drivers for a migration decision.


Frequently Asked Questions

Does CVE-2026-45659 affect SharePoint Online or Microsoft 365?

No. This vulnerability affects only on-premises SharePoint Server deployments — specifically SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft’s cloud-hosted SharePoint Online in Microsoft 365 is managed and patched by Microsoft’s own infrastructure and is not affected.

I applied the May update. Am I protected?

Verify rather than assume. Check the farm’s build number using Get-SPFarm | Select BuildVersion and compare it against the fixed builds listed above. CVE-2026-45659 was inadvertently omitted from the original May security update bulletin but was addressed by the same May 2026 update packages. If the farm is running the fixed builds, it is protected against this specific flaw — but only if the SharePoint Products Configuration Wizard and an IIS reset were completed on every server in the farm after the update was installed.

Why did CISA classify this as actively exploited when Microsoft said exploitation was less likely?

Microsoft’s initial “exploitation less likely” assessment reflected the technical bar required at the time of disclosure in late May. CISA’s July 1 Known Exploited Vulnerabilities addition means the agency has confirmed evidence that exploitation is occurring in the wild. The two assessments are not contradictory: Microsoft’s rating reflected the exploitation likelihood at disclosure; CISA’s listing reflects observed reality five weeks later. When a KEV listing contradicts an earlier vendor assessment, the KEV listing governs remediation priority.

What can an attacker do once they have code execution on a SharePoint server?

Code execution in the SharePoint worker process gives an attacker the same network access and permissions that the application pool identity holds. In most deployments this includes read and write access to SharePoint content databases, access to the SharePoint administration service, and potentially access to other network resources the server can reach. Post-exploitation activity in similar SharePoint incidents has included lateral movement to Active Directory, exfiltration of document library contents, deployment of web shells for persistent access, and in ransomware incidents, encryption of storage accessible from the server.



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW