SharePoint RCE CVE-2026-45659: a 7-step patch-and-harden checklist for 2026

CVE-2026-45659 is a CVSS 8.8 SharePoint RCE on CISA's KEV list. A 7-step patch-and-harden checklist for on-prem SharePoint in 2026.

Read time
8 min
Word count
1K
Sections
9
FAQs
8
Share
Red padlock shield glowing over a dark server farm
CVE-2026-45659 is a critical SharePoint RCE on CISA's KEV list.
On this page · 9 sections
  1. What CVE-2026-45659 is, in plain terms
  2. Are you affected?
  3. The 7-step patch-and-harden checklist
  4. After patching: assume-breach hygiene
  5. The 2016 end-of-support problem
  6. India-specific considerations
  7. FAQ
  8. How eCorpIT can help
  9. References

Summary. CVE-2026-45659 is a remote code execution flaw in on-premises Microsoft SharePoint Server with a CVSS score of 8.8, caused by deserialization of untrusted data. Microsoft shipped the fix in its May 2026 security updates, but on July 1, 2026 CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation, giving U.S. federal civilian agencies a hard remediation deadline of July 4, 2026, a three-day window under Binding Operational Directive 26-04. Only on-premises editions are affected: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. SharePoint Online in Microsoft 365 is not affected. One more clock is running: SharePoint Server 2016 reaches end of extended support on July 14, 2026. This is the defensive checklist to close the exposure. It contains no exploitation detail, only remediation.

If you run SharePoint on your own servers, treat this as urgent. Patching alone is not enough here: because the flaw allows code execution, a machine that was exposed before you patched may already hold planted keys or web shells, so the hardening steps below matter as much as the update itself.

What CVE-2026-45659 is, in plain terms

The vulnerability is a deserialization-of-untrusted-data bug in SharePoint Server that leads to remote code execution. According to the NVD record and Help Net Security, it carries a CVSS score of 8.8 and can be triggered by an authenticated user with as little as Site Member permission. That low bar is why it is dangerous: in most organizations a large number of people, and any compromised low-privilege account, meet that threshold.

The Hacker News reported that Microsoft patched the flaw across server versions in May 2026. The situation escalated on July 1, 2026, when CISA added it to the KEV catalog and confirmed active exploitation, as SOCRadar also documented. Security press warned that on-prem SharePoint is a favourite target for ransomware crews, which is why TechTimes framed the deadline as patching before attackers strike.

Are you affected?

Check your farm against the fixed builds below. If any server sits below the listed build, it is vulnerable and must be updated.

Product Patch to at least this build Notes
SharePoint Enterprise Server 2016 16.0.5552.1002 End of extended support July 14, 2026
SharePoint Server 2019 16.0.10417.20128 Supported
SharePoint Server Subscription Edition 16.0.19725.20280 Supported, current line
SharePoint Online (Microsoft 365) Not applicable Not affected
Unsupported older versions No fix available Isolate or decommission

The build numbers come from Microsoft's advisory as summarized by SentinelOne and Threat-Modeling.com. If you are cloud-only on SharePoint Online, you are not exposed to this specific flaw, though the identity-hygiene steps below still apply.

The 7-step patch-and-harden checklist

Apply these in order, on every server in the farm. This mirrors Microsoft's own mitigation guidance for the vulnerability.

Step Action Why it matters
1 Apply the May 2026 security update to every farm server Closes the vulnerability itself
2 Run PSConfig / the Products Configuration Wizard on each server The patch is not fully applied until this runs
3 Rotate the ASP.NET machine keys, then restart IIS Invalidates keys an attacker may have stolen
4 Enable AMSI in Full Mode Lets antivirus inspect request payloads
5 Deploy Microsoft Defender Antivirus or equivalent Detects known post-exploitation tooling
6 Deploy Defender for Endpoint or an equivalent EDR Catches hands-on-keyboard activity
7 Hunt for compromise on any server exposed before patching RCE means assume-breach until proven clean

Two steps are the ones teams miss. First, PSConfig: applying the binary update does not finish the job, and skipping the configuration wizard leaves the farm partially configured and still exposed, as the reporting on remediation makes clear. Run it on the application server first, then each web front-end. Second, machine-key rotation: because this class of flaw can leak the keys used to sign and encrypt SharePoint payloads, patching without rotating keys can leave a door open. Rotate keys, then restart IIS.

After patching: assume-breach hygiene

If a server was internet-facing or reachable by untrusted users before you patched, treat it as potentially compromised until you have checked. Review IIS and SharePoint logs for anomalous requests, look for unexpected files in the SharePoint web directories, audit newly created accounts and privilege changes, and confirm no scheduled tasks or services were added. Guidance from IntegSec and CyberPress stresses that a KEV listing means exploitation is real, not theoretical. If you find evidence of compromise, move to incident response rather than assuming the patch fixed it.

The 2016 end-of-support problem

If you are still on SharePoint Server 2016, this CVE arrives at the worst possible moment. Extended support ends July 14, 2026, so this may be one of the last security updates that line receives. Apply it, then treat migration as a live project, whether to Subscription Edition on-prem or to SharePoint Online. Running an unpatched, unsupported collaboration server that holds your documents is the kind of exposure that turns a single vulnerability into a full breach. We cover the wider modernization path in our application modernization guide and platform engineering patterns.

India-specific considerations

For Indian enterprises, the deadline pressure is regulatory as well as operational. The July 4, 2026 date is a U.S. federal directive, but the exposure is global, and under India's Digital Personal Data Protection Act, 2023 (DPDP), a breach of a document store holding personal data brings notification duties and penalties. On-prem SharePoint often holds HR records, contracts, and customer data, exactly the sensitive material a data fiduciary must protect. Indian teams should patch on the same urgency as their U.S. counterparts and document the remediation, because demonstrable diligence matters if a regulator asks. Weekly vulnerability volume is high: defenders processed 1,939 new vulnerabilities in a single week around this disclosure, so a repeatable patch process beats one-off firefighting.

FAQ

How eCorpIT can help

eCorpIT (eCorp Information Technologies Private Limited, founded 2021, Gurugram) helps enterprises run patch and hardening programs that hold up under audit. Our senior-led, CMMI Level 5 teams, working with partners including Microsoft and Kaspersky, run vulnerability triage against the CISA KEV catalog, remediate exposed on-prem workloads, and plan migrations off end-of-support platforms like SharePoint Server 2016. We design systems aligned with DPDP Act requirements so a patch record doubles as compliance evidence. To review your exposure, contact us.

References

  1. CVE-2026-45659 detail — NVD
  1. High-severity SharePoint RCE bug patched by Microsoft (CVE-2026-45659) — Help Net Security
  1. Microsoft patches SharePoint RCE flaw CVE-2026-45659 across server versions — The Hacker News
  1. CISA flags SharePoint RCE (CVE-2026-45659) for active exploitation — SOCRadar
  1. CISA adds one known exploited vulnerability to catalog (July 1, 2026) — CISA
  1. CVE-2026-45659: Microsoft SharePoint Server RCE vulnerability — SentinelOne
  1. SharePoint Server actively exploited: CISA orders patch before ransomware actors strike — TechTimes
  1. CVE-2026-45659: SharePoint deserialization bug and how to respond — IntegSec
  1. CVE-2026-45659: SharePoint deserialization RCE (CISA KEV) — Threat-Modeling.com
  1. CISA warns actively exploited Microsoft SharePoint RCE flaw requires urgent patch — CyberPress
  1. CVE-2026-45659 KEV: patch the SharePoint deserialization RCE fast — Windows Forum
  1. Patch Tuesday July 2026: security updates and CVE analysis — Zecurit
  1. Vulnerability intelligence report, July 8, 2026 — Threat-Modeling.com

_Last updated: July 13, 2026._

Frequently asked

Quick answers.

01 What is CVE-2026-45659?
CVE-2026-45659 is a remote code execution vulnerability in on-premises Microsoft SharePoint Server, caused by deserialization of untrusted data, with a CVSS score of 8.8. An authenticated user with as little as Site Member permission can trigger it. Microsoft patched it in May 2026, and CISA later confirmed active exploitation in the wild.
02 Which SharePoint versions are affected?
Only on-premises editions: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. SharePoint Online in Microsoft 365 is not affected. Patch each on-prem server to at least the fixed build for its version, then run the configuration wizard so the update fully applies across the farm.
03 Why is CISA's KEV listing significant?
CISA adds a vulnerability to its Known Exploited Vulnerabilities catalog only when it confirms active exploitation. The July 1, 2026 listing set a July 4 remediation deadline for U.S. federal civilian agencies under Binding Operational Directive 26-04. For everyone else it is a strong signal that attackers are already using this flaw, so patching is urgent.
04 Is patching alone enough?
No. Because this is a remote code execution flaw, a server exposed before patching may already be compromised. After applying the update and running PSConfig, rotate the ASP.NET machine keys and restart IIS, then hunt for signs of compromise in logs, files, and accounts. Treat any previously exposed, internet-facing server as assume-breach until verified clean.
05 What is the machine-key rotation step for?
This class of deserialization flaw can expose the ASP.NET machine keys SharePoint uses to sign and encrypt payloads. If an attacker captured those keys before you patched, they could keep forging valid requests even after the update. Rotating the keys and restarting IIS invalidates any stolen keys, which is why Microsoft's guidance includes it.
06 What happens to SharePoint Server 2016 after July 14, 2026?
SharePoint Server 2016 reaches end of extended support on July 14, 2026, after which Microsoft stops releasing security updates for it. Apply this update while you still can, then plan migration to SharePoint Server Subscription Edition or SharePoint Online. Running an unsupported collaboration server holding sensitive documents is a growing breach risk.
07 How does this affect Indian organizations?
The July 4 deadline is a U.S. federal directive, but the vulnerability is exploited globally. Under India's DPDP Act, 2023, a breach of a SharePoint store holding personal data triggers notification duties and potential penalties. Indian teams should patch with the same urgency, harden against post-exploitation, and document remediation in case a regulator requests evidence of diligence.
08 Where can I confirm the official details?
Start with the NVD record for CVE-2026-45659 and Microsoft's Security Response Center advisory for the exact fixed builds and mitigation steps, then check CISA's KEV catalog entry for the remediation deadline. Independent write-ups from Help Net Security, SentinelOne, and SOCRadar corroborate the affected versions, the CVSS 8.8 score, and the active-exploitation status.

About the author

Manu Shukla

Founder & Director

Founder of eCorpIT. Hands-on engineer leading senior-only delivery for AI apps, custom software, and cloud systems for global clients.

Subscribe

One engineering note a week. No fluff, no spam.

Senior-architect playbooks on AI agents, mobile apps, cloud, security, data, and marketing — delivered every Wednesday.

Past the reading

Read enough. Let's build something.

A senior architect responds in 24 working hours with scope, indicative cost, and a timeline. NDA before any technical conversation.