CyberSecurityBoardThreat Intel · CVEs · Products
Critical CVEs

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation

July 2, 2026

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity remote code execution vulnerability, CVE-2026-45659 (CVSS 8.8), affecting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaw, a deserialization of untrusted data issue, was patched by Microsoft in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. An authenticated attacker with Site Member permissions can exploit it remotely without admin privileges. CISA mandates Federal Civilian Executive Branch agencies to apply fixes by July 4, 2026.

Additionally, Microsoft uncovered parallel threat activity from two clusters during a ransomware investigation. One cluster, Storm-2603, deploys Warlock ransomware by exploiting vulnerabilities in on-premises SharePoint servers since mid-2025. Initial access was likely via CVE-2025-11371 (CVSS 9.1) in Gladinet Triofox. The attacker used tools like Velociraptor, Cloudflare tunneling, Zoho Assist, SSH via Visual Studio Code, and the vulnerable driver NSecKrnl.sys to tamper with endpoint security. A second, unrelated threat actor co-existed in the same environment using DLL side-loading and custom backdoors, complicating attribution. The attackers moved laterally to a second organization, confirming compromise by Storm-2603. Microsoft emphasizes that isolated signals rarely tell the full story in complex intrusions.

CVEs: CVE-2026-45659, CVE-2025-11371, CVE-2026-20245

Attack groups: Storm-2603

Malware: Warlock ransomware

Companies: Microsoft, Cloudflare, Zoho, Gladinet

Products: SharePoint Server, Velociraptor, Visual Studio Code, NSecKrnl.sys, Gladinet Triofox