CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog, confirming that threat actors are actively exploiting a critical remote code execution vulnerability in Microsoft SharePoint Server in the wild. The flaw, rated CVSS 8.8, exploits unsafe deserialization in SharePoint’s processing pipeline and requires only authenticated access at the Site Member level — a low permission threshold in typical enterprise SharePoint deployments — to achieve server-side code execution.
Unsafe Deserialization in SharePoint and the Active Exploitation Confirmation
CVE-2026-45659 operates through SharePoint’s deserialization handling, where specially crafted input passed by an authenticated attacker triggers arbitrary code execution on the server. The authentication requirement places the barrier at Site Member permissions or above, a level held by large numbers of users in most enterprise SharePoint environments, including contractors, third-party vendors, and remote workers who have been granted collaboration access. Microsoft patched CVE-2026-45659 in a prior update cycle; organizations that have not applied the patch are confirmed to face active attacker interest at the time of CISA’s KEV addition.
CVE-2026-45659’s Scope Across Enterprise, Government, and Education Deployments
SharePoint Server is one of the most extensively deployed document collaboration and intranet platforms in enterprise and government environments globally. Its integration with Active Directory means a successful exploitation does not merely expose SharePoint content — it provides attackers a foothold from which to pivot toward credential abuse, internal network access, and lateral movement through AD-connected infrastructure. Government agencies, educational institutions, and large enterprises running on-premises SharePoint deployments represent the highest concentration of affected targets given SharePoint Online’s managed patching model.
CISA’s KEV Mandatory Federal Patch Deadline and What It Requires
CISA’s addition to the KEV catalog triggers mandatory remediation requirements for federal civilian executive branch agencies, which must apply available patches within a defined deadline. For non-federal organizations, CISA’s KEV confirmation signals confirmed in-the-wild exploitation, making CVE-2026-45659 a priority patch independent of federal compliance obligations. The KEV catalog entry makes explicit what the CVSS 8.8 rating implies: exploitation is not theoretical, and organizations delaying patching are operating in a window of confirmed attacker activity.
What Organizations Should Do Following the CVE-2026-45659 KEV Listing
Microsoft’s patch for CVE-2026-45659 was available before the CISA KEV addition, meaning the primary remediation action — applying the patch — requires no vendor action and is available immediately to all SharePoint Server administrators. The patching priority should be elevated given that the exploitation requires only Site Member access, a credential threshold many organizations have distributed broadly through normal collaboration workflows, vendor access grants, and remote workforce provisioning.
Indicators of CVE-2026-45659 Exploitation and Post-Compromise Risk in AD-Integrated Environments
Organizations applying the patch should also review SharePoint server logs for indicators of exploitation activity that may have preceded the KEV confirmation. The deserialization attack vector can leave artifacts in server-side logs, IIS event records, and network traffic captures. Given SharePoint’s Active Directory integration, incident responders should extend post-exploitation auditing beyond the SharePoint layer to AD event logs for unusual authentication patterns, service account activity, or privilege escalation attempts that could indicate the CVE-2026-45659 compromise was used as a lateral movement staging point. SharePoint Server compromise has historically provided ransomware operators and espionage-motivated actors with high-value document repositories and AD footholds — both objectives are directly served by the broad privileged access this vulnerability enables in unpatched on-premises environments.
