Skip to main content
Emerging Threats

CISA Warns of Active SharePoint RCE Exploitation

A lone computer workstation sits in a vast, empty IT room with rows of server racks in the background.

"Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability which allows an authorized attacker to execute code over a network," CISA said.

CVE-2026-45659 and CISA's KEV Addition

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added CVE-2026-45659 — a high-severity remote code execution flaw affecting Microsoft SharePoint Server — to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability carries a CVSS score of 8.8 and arises from the deserialization of untrusted data.

Affected SharePoint Versions and Microsoft Patch

Microsoft addressed CVE-2026-45659 in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. According to Microsoft, exploitation can be triggered by any authenticated attacker and does not require administrator or other elevated privileges. In a network-based attack scenario, an authenticated actor with a minimum of Site Member permissions (PR:L) could leverage the flaw to execute code remotely on a SharePoint Server.

Active Exploitation, Microsoft's Assessment, and FCEB Guidance

Although Microsoft has tagged the flaw with an "Exploitation Less Likely" assessment, CISA's KEV listing reflects evidence that exploitation is occurring in the wild. In light of that active exploitation, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the fixes by July 4, 2026.

Microsoft Incident Response: Storm-2603, tooling, and parallel actors

Microsoft's own incident response work revealed a more complex operational picture in which two unrelated attackers operated simultaneously within the same network. One set of attacks was attributed to Storm-2603, a threat actor Microsoft says has deployed Warlock ransomware and often exploited known vulnerabilities in on-premises SharePoint servers since mid-2025.

Microsoft described an attack sequence in which initial access was likely attempted through a separate vulnerability, with requests for files such as win.ini and web.config — activity Microsoft characterized as probing for local file inclusion. Evidence pointed to CVE-2025-11371 (CVSS: 9.1), a critical flaw affecting Gladinet Triofox, as the likely initial access vector.

Once inside, the actor attributed to Storm-2603 reportedly deployed Velociraptor to blend malicious activity with trusted administrative behavior and established multiple remote access channels using Cloudflare tunneling, Zoho Assist, and Secure Shell (SSH) connections configured through Visual Studio Code. The group escalated privileges by creating new local and domain administrator accounts, and a vulnerable driver identified as "NSecKrnl.sys" was used to tamper with endpoint security protections and reduce detection visibility.

In parallel, Microsoft observed a second, unrelated threat actor co-existing in the same environment using DLL side-loading and custom backdoors, complicating attribution and incident response. Microsoft said attackers moved laterally beyond the first compromised network and into a second organization, which confirmed it had been compromised by the same ransomware activity attributed to Storm-2603. "Together, these overlapping activity streams enabled sustained access while masking the full scope of the intrusion," Microsoft Incident Response said. "The blend of known ransomware tactics and hidden techniques allowed the threat actors to establish deep and lasting access."

What this means for the Federal Civilian Executive Branch, security teams, and affected enterprises

  • Federal Civilian Executive Branch: Apply Microsoft’s May 2026 fixes by July 4, 2026, as directed by CISA’s KEV listing.
  • Security teams and incident responders: Watch for signs documented by Microsoft — requests for win.ini and web.config, use of Velociraptor, Cloudflare tunneling, Zoho Assist, SSH via Visual Studio Code, creation of new local and domain admin accounts, tampering involving "NSecKrnl.sys," DLL side-loading, and custom backdoors — and consider investigations that account for multiple concurrent intrusions that can mask one another.
  • Affected enterprises running SharePoint Server Subscription Edition, SharePoint Server 2019, or SharePoint Enterprise Server 2016: Prioritize deploying Microsoft’s patches and review authenticated access controls, since an attacker with Site Member permissions (PR:L) could exploit this vulnerability without elevated credentials.

Microsoft and CISA have drawn a narrow but urgent picture: a high-severity deserialization flaw fixed in May 2026 is being actively exploited, even as Microsoft judges exploitation "less likely." Who is carrying out the activity and what their ultimate objectives are remains unknown, while simultaneous intrusions — including activity attributed to Storm-2603 — show how quickly incidents can widen and obscure one another. For defenders, the immediate task is concrete and time-bound: patch the named SharePoint versions and hunt for the specific techniques Microsoft has observed.

https://thehackernews.com/2026/07/sharepoint-rce-cve-2026-45659-added-to.html