The Cybersecurity and Infrastructure Security Agency (CISA) has sounded an urgent alarm for all federal agencies and private-sector organizations running Microsoft SharePoint Server. On July 1, 2026, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that a critical deserialization remote code execution (RCE) flaw in SharePoint is under active attack.

Under Binding Operational Directive (BOD) 22-01, federal civilian executive branch agencies have until July 22, 2026—just 21 days from catalog inclusion—to apply the patch, implement mitigations, or remove the exposed products from their networks. But private companies face the same threat landscape, with security researchers warning that exploitation rates are accelerating.

What Is CVE-2026-45659 and Why Deserialization Bugs Are So Dangerous

CVE-2026-45659 is a deserialization vulnerability in SharePoint Server that allows an unauthenticated attacker to execute arbitrary code on target systems. Deserialization flaws occur when an application processes untrusted data without properly validating what’s being reconstructed. In SharePoint’s case, this often involves the way the platform handles ViewState or certain web part objects.

SharePoint relies heavily on serialized data for page state, workflow information, and user sessions. If an attacker can craft a malicious serialized object and send it to a vulnerable server, the deserialization process can trigger the execution of attacker-supplied code—often with high privileges, such as those of the SharePoint application pool or even the SharePoint Farm Account.

This particular vulnerability stems from insufficient validation within SharePoint’s Business Connectivity Services (BCS) runtime, which processes complex object graphs. By sending a specially crafted HTTP request to a SharePoint web application, attackers can abuse BCS deserialization routines to load arbitrary .NET assemblies and achieve SYSTEM-level code execution, according to early technical analysis circulating in security communities.

The severity is compounded by the fact that SharePoint servers are often deeply integrated with internal networks, Active Directory, and sensitive document repositories. Post-exploitation, threat actors can move laterally, harvest credentials, and deploy ransomware or other payloads across an entire enterprise.

CISA’s KEV Addition: The Clock Is Ticking

The KEV Catalog, established under BOD 22-01, lists vulnerabilities with confirmed active exploitation. Inclusion triggers a mandatory timeline for federal agencies, but it also serves as a crucial signal for all organizations. CISA’s alert specifically states that attackers are “actively exploiting” CVE-2026-45659, though the agency did not initially release detailed threat intelligence or indicators of compromise (IOCs).

Industry sources, however, have reported that the exploit has been integrated into popular post-exploitation frameworks and may have been used by ransomware affiliates to gain initial access. Microsoft’s own threat intelligence team, in a June 2026 advisory, warned of a “surge in exploitation attempts” against unpatched SharePoint farms shortly after the patch was released.

For organizations that have not yet applied the fix, the risk window is shrinking rapidly. Unlike many SharePoint vulnerabilities that require authentication or local access, CVE-2026-45659 can be triggered remotely without credentials, making it exceptionally dangerous for internet-facing SharePoint deployments.

The Patch: Microsoft’s June 2026 Security Updates

Microsoft addressed CVE-2026-45659 as part of its June 2026 Patch Tuesday release. The update modifies how SharePoint deserializes certain object types within the BCS runtime, enforcing stricter type checking and a blocklist of known dangerous assemblies. Administrators who applied the June 2026 security rollup for SharePoint Server Subscription Edition, SharePoint 2019, or SharePoint 2016 should already be protected.

However, the patch itself is a cumulative update that can sometimes break custom integrations, leading some IT teams to delay deployment for testing. This “patch paralysis” is precisely what attackers count on. CISA’s KEV addition is a blunt nudge: even if testing is incomplete, the risk of exploitation outweighs the compatibility risks.

For those unable to patch immediately, Microsoft and CISA recommend several interim mitigations:

  • Disable BCS functionality if not in use, via the SharePoint Central Administration site or by removing the BCS service application.
  • Restrict access to the SharePoint web front end using network segmentation, VPNs, or IP restrictions in IIS.
  • Enable IIS request filtering to block suspicious patterns in URL or request bodies, particularly those containing serialized .NET objects.
  • Monitor SharePoint ULS logs for anomalies such as unexpected assembly loads or error patterns tied to deserialization.

These mitigations are not foolproof; attackers can adapt their payloads to evade simple filters. The only complete protection is the application of the official security update.

The Exploitation Chain: How Attacks Are Unfolding

Security researchers and incident responders have begun piecing together the typical attack sequence for CVE-2026-45659. The exploit often begins with a specially crafted SOAP or REST request to a SharePoint endpoint that triggers deserialization. The payload typically includes a gadget chain—a series of .NET objects that, when deserialized, execute commands through classes like ObjectDataProvider or WindowsIdentity.

One observed attack variant drops a lightweight webshell into the SharePoint layouts directory, giving attackers persistent remote access even if the initial vulnerability is later patched. From there, adversaries deploy Cobalt Strike beacons, enumerate the domain, and attempt to steal SharePoint encryption keys and credentials from the farm configuration database.

Because SharePoint servers frequently have extensive permissions, attackers can also manipulate search results, exfiltrate documents, or inject malicious links to target end users. In one incident triaged by a major MSSP, the compromise of a SharePoint server led to a full Active Directory takeover within 48 hours.

The active exploitation flagged by CISA appears to be opportunistic rather than targeted—internet scans for unpatched SharePoint servers have spiked dramatically since the patch’s release. Organizations that expose SharePoint to the internet without a VPN or Web Application Firewall are at highest risk.

Historical Context: SharePoint Deserialization Vulnerabilities

CVE-2026-45659 is not an anomaly. Deserialization bugs have plagued SharePoint for years, with notable predecessors including CVE-2020-1181, CVE-2021-27076, and CVE-2021-42293. Each of those prompted emergency patching and, like the current situation, saw rapid adoption by exploitation frameworks.

The underlying issue is architectural: SharePoint’s design relies on deserializing complex object state from user-supplied data across many components. While Microsoft has progressively hardened those routines, the large attack surface and legacy compatibility requirements mean new variants emerge regularly.

What sets CVE-2026-45659 apart is the combination of BCS runtime involvement—a service often enabled by default even in non-hybrid environments—and the low complexity of the exploit. Proof-of-concept code circulated on GitHub within days of the patch release, lowering the barrier for less sophisticated attackers.

Impact on Windows and Hybrid Environments

SharePoint Server is tightly integrated with the broader Windows ecosystem, meaning a compromise can cascade into a full-scale breach. Attackers who gain code execution on a SharePoint front-end server can immediately query Active Directory, harvest Kerberos tickets, and pivot to domain controllers, file servers, and SQL databases. If Azure AD Connect is in place, the threat can even extend to cloud identities.

Organizations using SharePoint in hybrid configurations with Microsoft 365 are not directly protected by the cloud’s native security, as the on-premises server remains a trust bridge. A compromised SharePoint farm can be leveraged to tamper with synchronized content, poison eDiscovery exports, or intercept federated authentication tokens.

Windows administrators should apply the patch across all SharePoint servers, test dependent workflows, and review service account privileges. The SharePoint farm account should never have local administrative rights; reducing its permissions can limit what an attacker can do post-exploitation.

What Organizations Must Do Now

  1. Patch Immediately: Apply the June 2026 cumulative update for your SharePoint version. Do not delay for testing—risk acceptance is no longer viable.
  2. Validate Patch Installation: Check SharePoint build numbers against Microsoft’s documentation to confirm the patch took effect. Reboot servers as required.
  3. Harden Internet-Facing SharePoint Deployments: Place all SharePoint traffic behind a VPN or Azure Application Proxy. If public access is mandatory, deploy a Web Application Firewall with rule updates targeting deserialization attacks.
  4. Audit BCS Usage: If Business Connectivity Services are not required, remove the service application entirely. If needed, restrict access to only trusted endpoints and accounts.
  5. Enable Advanced Logging: Turn on detailed ULS logging and forward logs to a SIEM. Watch for patterns like “Type is not resolved for member” or unexpected System.Web.Script.Serialization errors—these can indicate deserialization attempts.
  6. Run Compromise Assessments: Use Microsoft’s SCERS tool or third-party forensic scripts to scan SharePoint farm servers for indicators of compromise, including unusual scheduled tasks, new IIS modules, or unrecognized .aspx files.
  7. Review and Limit SharePoint Service Account Privileges: Ensure least privilege for the farm, application pool, and search service accounts. Move away from using domain admin accounts for SharePoint maintenance.

The Broader CISA KEV Landscape

CVE-2026-45659’s addition to the KEV catalog is part of a larger push by CISA to focus on a “binding operational” rhythm for vulnerability management. As of mid-2026, the catalog contains over 2,000 entries—a 30% increase from the previous year. Deserialization and RCE vulnerabilities in collaboration platforms consistently rank among the most frequently exploited.

This trend reflects attackers’ growing sophistication in weaponizing patch-diffing tools. Within hours of a Microsoft Patch Tuesday release, reverse engineers can identify the specific code changes and develop working exploits. The window between patch availability and active exploitation has shrunk from weeks to days, making rapid deployment the only viable defense.

Private industry advisory groups, including the IT-ISAC and MS-ISAC, are echoing CISA’s urgency, urging all enterprises to treat CVE-2026-45659 as a top-priority risk. Many are recommending a “10-days-to-patch” SLA for internet-facing SharePoint servers.

Looking Ahead: Automation and Long-Term Defenses

The relentless stream of SharePoint critical vulnerabilities underscores the need for automation in patch management. Organizations that still rely on manual approval cycles and quarterly maintenance windows are increasingly playing with fire. Tools like Microsoft’s own Azure Update Manager, or third-party platforms such as Ivanti and Patch My PC, can help orchestrate SharePoint updates with minimal downtime.

Beyond patching, enterprises should evaluate whether they can reduce their on-premises SharePoint footprint. Migrating content to SharePoint Online or Azure Files eliminates the patch management burden for those assets, though hybrid dependencies must be carefully unwound.

For the immediate future, CVE-2026-45659 will likely join the ranks of other perennial SharePoint threats—always lurking as a favorite initial access vector for ransomware gangs and state-sponsored actors. The lesson is clear: when CISA says patch fast, it’s not a suggestion; it’s a survival strategy.