What Happened
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high‑severity vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on July 2, 2026. The flaw, tracked as CVE‑2026‑45659 with a CVSS score of 8.8, affects Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. It is a deserialization‑of‑untrusted‑data bug that allows an authenticated attacker with just Site Member permissions to execute arbitrary code over the network.
Technical Analysis
Deserialization vulnerabilities arise when an application processes serialized objects without proper validation. In SharePoint, the flaw resides in the handling of certain object streams used by the server’s backend services. When a malicious payload is supplied, the server deserializes it and runs attacker‑controlled code. Because the vulnerability is network‑based, exploitation requires only a valid SharePoint credential – no administrative rights are needed. Microsoft’s advisory notes that the attack complexity is low (AC:L) and the required privileges are minimal (PR:L). The bug was addressed in May 2026; Microsoft released patches for the affected versions – SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 – [Microsoft patch details]. However, the vulnerability was inadvertently omitted from the May security update announcement, leaving many systems exposed.
Who’s Affected
Any organization running on‑premises SharePoint Server versions listed above is at risk. Shadowserver reports that over 10,000 SharePoint instances are publicly reachable on the internet, many of which likely host outdated software. Federal civilian agencies have been specifically warned to remediate by July 4, 2026, but the exposure spans private enterprises, universities, and government contractors worldwide. Attackers can leverage the foothold to move laterally across internal networks, exfiltrate sensitive documents, or deploy ransomware payloads. The active exploitation signal from CISA suggests that threat actors are already weaponising the flaw in the wild.
How to Protect Yourself
- Apply Microsoft’s May 2026 patches immediately on all SharePoint Server instances. Verify the installed versions match the patched releases.
- Enable multi‑factor authentication (MFA) for all SharePoint accounts. Reducing the pool of valid credentials mitigates the low‑privilege authentication vector.
- Conduct an internet‑exposure scan (e.g., using Shodan or Shadowserver data) to identify any externally accessible SharePoint servers. Block inbound traffic at the perimeter where feasible.
- Review audit logs for unusual access patterns, especially login events from non‑corporate IP ranges or repeated failed attempts.
- Implement strict least‑privilege assignments: ensure users only have the permissions required for their role, removing unnecessary Site Member rights.
The Sable Angle
At Sable we routinely audit on‑premises collaboration platforms for exactly these kinds of deserialization flaws. Our recent research into supply‑chain attacks highlighted how a single unpatched service can become the launchpad for nation‑state actors [OpenClaw research]. By combining automated scanning with threat‑intelligence feeds, we can surface vulnerable SharePoint installations before attackers do.
If you need a deeper dive into how the vulnerability interacts with custom SharePoint web parts, check out our technical brief on the exploitation pathway. Our team stands ready to assist with rapid patch validation, forensic triage, and hardening recommendations to keep your data safe.