BlueOnyx
CybersecuritySharePointInfrastructureCISOPatch Management

The SharePoint Flaw Microsoft Underestimated Is Now Actively Exploited

Blue OnyxPublished on 4 juillet 20265 min read
Cadenas rouge sur clavier noir, symbole de faille de sécurité

Introduction

A vulnerability Microsoft initially rated as unlikely to be exploited is now confirmed active in the wild. CVE-2026-45659, a critical deserialization flaw in SharePoint Server, was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on July 2, 2026 — effectively overriding the vendor's own risk assessment and triggering a mandatory three-day remediation deadline for U.S. federal agencies.

Microsoft's Assessment, Overruled by Reality

When Microsoft issued an emergency out-of-cycle patch for SharePoint Server in May 2026, it rated exploitation of CVE-2026-45659 as "unlikely." On July 2, CISA made that position untenable by adding the vulnerability to its KEV catalog — confirming documented, real-world attacks already underway in production environments.

A CVSS score of 8.8 should have prompted greater urgency from the outset. The root cause is a deserialization of untrusted data bug (CWE-502) in SharePoint Server's processing engine. The attack targets an endpoint that reconstructs serialized objects in memory without adequate validation. A threat actor can inject a .NET gadget chain to trigger arbitrary code execution server-side — with no externally visible interaction required.

Standard User Rights, Maximum Impact

What makes this vector particularly alarming for infrastructure teams is the low privilege bar to entry. An account with "Site Member" rights — the standard access level for any active user on the platform — is sufficient to launch the exploit. No administrator account, no prior Active Directory domain compromise required.

Affected versions cover the bulk of on-premises SharePoint deployments: SharePoint Server 2016 Enterprise, SharePoint Server 2019, and SharePoint Server Subscription Edition. SharePoint Online (Microsoft 365) environments are not affected. The flaw targets on-premises instances, which frequently sit at the heart of enterprise document repositories, intranet portals, and collaboration workspaces.

Three Days for Federal Agencies — A Signal for Everyone

Invoking its Binding Operational Directive BOD 26-04, CISA mandated a three-day remediation window for U.S. federal agencies, with a hard deadline of July 4, 2026 — a timeline that reflects the genuine severity of the threat. In an on-premises environment, an unpatched SharePoint server is a powerful lateral movement vector for any attacker already present on the internal network or operating through a compromised user account.

For European and other international organizations, no equivalent regulatory obligation currently applies. But the underlying logic holds: the internal attack surface scales directly with the number of active SharePoint accounts — potentially the organization's entire workforce.

What IT Teams Should Do Now

Three actions are required without delay.

First, conduct a precise inventory of all on-premises SharePoint Server instances. Environments partially migrated to the cloud or left running after consolidation projects are common blind spots that fly under the radar until an incident forces the issue.

Second, apply Microsoft's May 2026 patch, which is available for all three affected versions.

Third, strengthen monitoring for anomalous activity on affected instances: unusual requests hitting serialized processing endpoints, unexpected child processes spawned by IIS workers, and unplanned outbound connections originating from the SharePoint server.

This episode exposes a structural weakness in out-of-cycle patch management: when the vendor itself underestimates the likelihood of exploitation, security teams are left with little reliable signal beyond the raw severity score and the criticality of the exposed component. A CVSS 8.8 on infrastructure this central to enterprise information systems warranted an immediate response — not a forced reassessment driven by active attacks in the wild.

Share