On this page · 9 sections
Summary. CVE-2026-45659 is a remote code execution flaw in on-premises Microsoft SharePoint Server with a CVSS score of 8.8, caused by deserialization of untrusted data. Microsoft shipped the fix in its May 2026 security updates, but on July 1, 2026 CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation, giving U.S. federal civilian agencies a hard remediation deadline of July 4, 2026, a three-day window under Binding Operational Directive 26-04. Only on-premises editions are affected: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. SharePoint Online in Microsoft 365 is not affected. One more clock is running: SharePoint Server 2016 reaches end of extended support on July 14, 2026. This is the defensive checklist to close the exposure. It contains no exploitation detail, only remediation.
If you run SharePoint on your own servers, treat this as urgent. Patching alone is not enough here: because the flaw allows code execution, a machine that was exposed before you patched may already hold planted keys or web shells, so the hardening steps below matter as much as the update itself.
What CVE-2026-45659 is, in plain terms
The vulnerability is a deserialization-of-untrusted-data bug in SharePoint Server that leads to remote code execution. According to the NVD record and Help Net Security, it carries a CVSS score of 8.8 and can be triggered by an authenticated user with as little as Site Member permission. That low bar is why it is dangerous: in most organizations a large number of people, and any compromised low-privilege account, meet that threshold.
The Hacker News reported that Microsoft patched the flaw across server versions in May 2026. The situation escalated on July 1, 2026, when CISA added it to the KEV catalog and confirmed active exploitation, as SOCRadar also documented. Security press warned that on-prem SharePoint is a favourite target for ransomware crews, which is why TechTimes framed the deadline as patching before attackers strike.
Are you affected?
Check your farm against the fixed builds below. If any server sits below the listed build, it is vulnerable and must be updated.
| Product | Patch to at least this build | Notes |
|---|---|---|
| SharePoint Enterprise Server 2016 | 16.0.5552.1002 | End of extended support July 14, 2026 |
| SharePoint Server 2019 | 16.0.10417.20128 | Supported |
| SharePoint Server Subscription Edition | 16.0.19725.20280 | Supported, current line |
| SharePoint Online (Microsoft 365) | Not applicable | Not affected |
| Unsupported older versions | No fix available | Isolate or decommission |
The build numbers come from Microsoft's advisory as summarized by SentinelOne and Threat-Modeling.com. If you are cloud-only on SharePoint Online, you are not exposed to this specific flaw, though the identity-hygiene steps below still apply.
The 7-step patch-and-harden checklist
Apply these in order, on every server in the farm. This mirrors Microsoft's own mitigation guidance for the vulnerability.
| Step | Action | Why it matters |
|---|---|---|
| 1 | Apply the May 2026 security update to every farm server | Closes the vulnerability itself |
| 2 | Run PSConfig / the Products Configuration Wizard on each server | The patch is not fully applied until this runs |
| 3 | Rotate the ASP.NET machine keys, then restart IIS | Invalidates keys an attacker may have stolen |
| 4 | Enable AMSI in Full Mode | Lets antivirus inspect request payloads |
| 5 | Deploy Microsoft Defender Antivirus or equivalent | Detects known post-exploitation tooling |
| 6 | Deploy Defender for Endpoint or an equivalent EDR | Catches hands-on-keyboard activity |
| 7 | Hunt for compromise on any server exposed before patching | RCE means assume-breach until proven clean |
Two steps are the ones teams miss. First, PSConfig: applying the binary update does not finish the job, and skipping the configuration wizard leaves the farm partially configured and still exposed, as the reporting on remediation makes clear. Run it on the application server first, then each web front-end. Second, machine-key rotation: because this class of flaw can leak the keys used to sign and encrypt SharePoint payloads, patching without rotating keys can leave a door open. Rotate keys, then restart IIS.
After patching: assume-breach hygiene
If a server was internet-facing or reachable by untrusted users before you patched, treat it as potentially compromised until you have checked. Review IIS and SharePoint logs for anomalous requests, look for unexpected files in the SharePoint web directories, audit newly created accounts and privilege changes, and confirm no scheduled tasks or services were added. Guidance from IntegSec and CyberPress stresses that a KEV listing means exploitation is real, not theoretical. If you find evidence of compromise, move to incident response rather than assuming the patch fixed it.
The 2016 end-of-support problem
If you are still on SharePoint Server 2016, this CVE arrives at the worst possible moment. Extended support ends July 14, 2026, so this may be one of the last security updates that line receives. Apply it, then treat migration as a live project, whether to Subscription Edition on-prem or to SharePoint Online. Running an unpatched, unsupported collaboration server that holds your documents is the kind of exposure that turns a single vulnerability into a full breach. We cover the wider modernization path in our application modernization guide and platform engineering patterns.
India-specific considerations
For Indian enterprises, the deadline pressure is regulatory as well as operational. The July 4, 2026 date is a U.S. federal directive, but the exposure is global, and under India's Digital Personal Data Protection Act, 2023 (DPDP), a breach of a document store holding personal data brings notification duties and penalties. On-prem SharePoint often holds HR records, contracts, and customer data, exactly the sensitive material a data fiduciary must protect. Indian teams should patch on the same urgency as their U.S. counterparts and document the remediation, because demonstrable diligence matters if a regulator asks. Weekly vulnerability volume is high: defenders processed 1,939 new vulnerabilities in a single week around this disclosure, so a repeatable patch process beats one-off firefighting.
FAQ
How eCorpIT can help
eCorpIT (eCorp Information Technologies Private Limited, founded 2021, Gurugram) helps enterprises run patch and hardening programs that hold up under audit. Our senior-led, CMMI Level 5 teams, working with partners including Microsoft and Kaspersky, run vulnerability triage against the CISA KEV catalog, remediate exposed on-prem workloads, and plan migrations off end-of-support platforms like SharePoint Server 2016. We design systems aligned with DPDP Act requirements so a patch record doubles as compliance evidence. To review your exposure, contact us.
References
_Last updated: July 13, 2026._