🚨 CRITICAL ALERT: Active Zero-Day Exploites
IMMEDIATE THREAT: A critical remote code execution (RCE) vulnerability in Microsoft SharePoint Server, CVE-2026-45659 (CVSS: 8.8), is actively exploited by authenticated attackers to execute arbitrary code over the network without user interaction. This vulnerability, classified under CWE-502 (Deserialization of Untrusted Data), has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog with an action date of 2026-07-01, confirming active exploitation in the wild. Organizations with on-prem SharePoint 2016, 2019, or Subscription Edition are at high risk of server compromise.[1][2][6]
Critical Vulnerabilities (CVSS >= 8.0)
- CVE-2026-45659 (CVSS: 8.8): Deserialization of untrusted data in Microsoft Office SharePoint allows an authenticated attacker to execute arbitrary code over a network. No user interaction is required, and attack complexity is Low. Microsoft has released patches for SharePoint Server Subscription Edition, 2019, and 2016. The flaw is tracked in CISA KEV as of 2026-07-01.[1][3][4][5]
âš¡ Immediate Actions Required
1. PATCH IMMEDIATELY: Apply the Microsoft security update referenced in the Microsoft Security Update Guide to all SharePoint Server 2016, 2019, and Subscription Edition deployments. For Subscription Edition, update to build 16.0.19725.20280 or later.[1][5]
2. AUDIT & RESTRICT ACCESS: Audit SharePoint user accounts and remove unused or excessive permissions, particularly accounts with site contribution rights. Restrict SharePoint administrative endpoints to trusted internal networks via firewall or reverse proxy rules.[1][2]
3. MONITOR FOR EXPLOITATION: Monitor IIS logs for authenticated POST requests with abnormally large body sizes targeting SharePoint handler URLs. Hunt for Windows Event ID 4688 entries showing process creation from w3wp.exe with command interpreters or script hosts as children. Inspect SharePoint ULS logs for deserialization exceptions and type-load failures.[1]
4. ROTATE CREDENTIALS: Rotate machine keys and service account credentials after patching to invalidate any payloads staged by attackers pre-patch.[1]
5. IMPLEMENT WORKAROUNDS (if patching delayed): Enforce Antimalware Scan Interface (AMSI) integration for SharePoint Server, disable non-essential web services, and place SharePoint behind a Web Application Firewall configured to inspect serialized payload signatures.[1]
DO NOT IGNORE: While Microsoft initially deemed this less likely to be exploited, the addition to CISA KEV confirms active exploitation. Treat this as a material update and implement sooner rather than later.[5]

