Key Takeaways
- CISA has added the high‑severity SharePoint flaw CVE‑2026‑45659 (CVSS 8.8) to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation.
- The vulnerability is a deserialization‑of‑untrusted‑data issue that allows remote code execution (RCE) with only Site Member privileges on affected SharePoint Server versions.
- Microsoft released patches for SharePoint Server Subscription Edition, 2019, and Enterprise Server 2016 in May 2026, but the flaw was initially rated “Exploitation Less Likely.”
- Federal agencies must apply the updates by July 4, 2026 under BOD 22‑01; CISA urges all organizations to treat KEV‑listed flaws as high‑priority patching events.
- Attackers often gain initial access via compromised credentials, then use legitimate admin tools (Velociraptor, Cloudflare Tunnel, Zoho Assist, SSH, VS Code remote) to blend in and evade detection.
- Intrusions have shown sophisticated tactics: privilege escalation via new admin accounts, deployment of a vulnerable driver to disable defenses, DLL side‑loading, and the coexistence of two unrelated threat actors (Storm‑2603 and a separate group).
- Defenders should review authentication logs, audit unexpected admin accounts, monitor for tunneling software, verify endpoint protections, and hunt for persistence indicators.
- The incident underscores that ransomware campaigns are evolving into multi‑stage, multi‑actor intrusions focused on long‑term access, making timely patching and continuous monitoring essential.
CISA Adds SharePoint Vulnerability to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that it has placed CVE‑2026‑45659, a high‑severity Microsoft SharePoint Server vulnerability, into its Known Exploited Vulnerabilities (KEV) catalog. This action follows verified reports that the flaw is being actively exploited in the wild. Inclusion in the KEV catalog signals that federal authorities consider the vulnerability to pose an immediate and significant risk to organizations, prompting urgent remediation guidance.
Vulnerability Overview and Severity
CVE‑2026‑45659 carries a CVSS base score of 8.8, reflecting its potential impact on confidentiality, integrity, and availability. Microsoft identified the issue as a deserialization of untrusted data vulnerability that can lead to remote code execution (RCE) on affected SharePoint servers. The flaw exists in the way SharePoint processes certain serialized objects, allowing an attacker who can supply malicious data to execute arbitrary code with the privileges of the SharePoint application pool.
Affected SharePoint Versions and Attack Prerequisites
The vulnerability impacts multiple supported releases: Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Exploitation requires authenticated access; specifically, an attacker needs only Site Member privileges to trigger the RCE. Consequently, threat actors must first obtain valid credentials—through phishing, credential stuffing, password reuse, or prior network compromise—before they can leverage the flaw.
Patch Release and Microsoft’s Initial Exploitation Rating
Microsoft issued security updates for the affected SharePoint products on May 21, 2026 as part of its May Patch Tuesday cycle. Notably, the CVE had been inadvertently omitted from the initial May 2026 Security Updates bulletin, prompting a separate advisory. At the time of patch release, Microsoft assessed the likelihood of exploitation as “Exploitation Less Likely,” a rating that has since been revised in light of real‑world attack evidence.
CISA Confirms Active Exploitation and Federal Remediation Deadline
Following confirmation of active exploitation, CISA added CVE‑2026‑45659 to the KEV catalog. Under Binding Operational Directive (BOD) 22‑01, Federal Civilian Executive Branch (FCEB) agencies must remediate KEV‑listed vulnerabilities within specified timelines; for this SharePoint flaw, the deadline is July 4, 2026. Although the directive binds only federal agencies, CISA consistently advises private‑sector organizations to treat KEV entries as high‑priority patching events because they are already being weaponized by threat actors.
How the Vulnerability Enables Remote Code Execution
The core weakness lies in insecure deserialization logic within SharePoint’s handling of user‑supplied data. An authenticated user can craft a malicious payload that, when deserialized by the server, leads to the execution of arbitrary code under the context of the SharePoint application pool. Because the attack only requires Site Member rights, the barrier to entry is considerably lower than for many server‑side vulnerabilities that demand administrative privileges.
Why SharePoint Remains a Prime Target for Attackers
SharePoint servers often store sensitive corporate documents, authentication tokens, and integrations with numerous enterprise services. Their frequent exposure to the internet—especially in on‑premises deployments—makes them attractive entry points for adversaries seeking to pivot laterally, exfiltrate data, or deploy ransomware. Successful compromise can grant attackers access to confidential information, credential harvesting opportunities, and a foothold for privilege escalation and persistent presence within the network.
Microsoft Reveals Complex Multi‑Actor Intrusion
Shortly after the CVE disclosure, Microsoft published findings from an extensive ransomware investigation that uncovered two unrelated threat actors operating concurrently inside the same victim environment. Initially presumed to be a single ransomware incident, the analysis revealed that each actor had independently established persistence using distinct techniques and tools, complicating attribution and response efforts. This case illustrates a growing trend where modern intrusions involve multiple malicious groups rather than a singular coordinated campaign.
Storm‑2603 Linked to SharePoint Attacks and Use of Legitimate Tools
One of the intrusion clusters was attributed to Storm‑2603, a threat actor Microsoft associates with Warlock ransomware operations. Storm‑2603 has targeted on‑premises SharePoint environments since mid‑2025 by exploiting publicly known vulnerabilities to gain initial access. During the investigation, attackers were observed requesting system files such as win.ini and web.config—behavior typical of reconnaissance for local file inclusion weaknesses. After gaining a foothold, the group employed a blend of legitimate administrative utilities—Velociraptor, Cloudflare Tunnel, Zoho Assist, Secure Shell (SSH), and Visual Studio Code remote connections—to conduct malicious activities while mimicking normal admin traffic, a classic “living off the land” approach that hinders detection.
Privilege Escalation, Defense Evasion, and Emergence of a Second Threat Actor
Beyond initial access, Microsoft documented extensive privilege escalation efforts: the attackers created new local and domain administrator accounts and deployed a vulnerable driver (NSecKrnl.sys) to interfere with endpoint security protections. These actions aim to weaken defensive tools, evade antivirus products, and maintain long‑term persistence before launching ransomware or exfiltrating data. Intriguingly, investigators also discovered evidence of a completely separate threat actor operating within the same network, utilizing DLL side‑loading and custom backdoors unrelated to Storm‑2603. The overlapping indicators from the two campaigns complicated forensic analysis, highlighting the challenges posed by concurrent, independent intrusions.
Security Recommendations for Organizations
Defenders should prioritize applying Microsoft’s May 2026 security updates for SharePoint Server Subscription Edition, 2019, and Enterprise Server 2016. In addition to patching, organizations are advised to:
- Review SharePoint authentication logs for anomalous login patterns or access from unfamiliar locations.
- Investigate any unexpected creation of administrator accounts.
- Audit remote access services (VPN, RDP, SSH) for unauthorized use.
- Monitor for tunneling or proxy software such as Cloudflare Tunnel or Zoho Assist that may be abused for covert communication.
- Hunt for persistence mechanisms, including scheduled tasks, services, or registry modifications.
- Verify that endpoint protection platforms remain operational and have not been tampered with.
- Conduct privileged‑access audits across Active Directory to detect illicit privilege escalation.
If compromise is suspected, a thorough incident response investigation should be undertaken to determine whether attackers established persistence before patches were applied, and to eradicate any residual footholds.
Looking Ahead: Importance of Timely Patching and Vigilance
CISA’s decision to list CVE‑2026‑45659 in the KEV catalog underscores that even vulnerabilities initially deemed low‑likelihood can become active threats once exploited. The convergence of timely patching, credential hygiene, and vigilant monitoring is essential to defend against adversaries that increasingly target widely deployed collaboration platforms like SharePoint. As ransomware campaigns evolve into multi‑stage, multi‑actor operations focused on persistence and privilege escalation, organizations must adopt a proactive security posture—combining rapid update deployment, continuous threat hunting, and robust detection capabilities—to safeguard their critical data and infrastructure.

