SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation
CISA added CVE-2026-45659, a high-severity remote code execution vulnerability in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities catalog due to active exploitation. The vulnerability stems from deserialization of untrusted data and requires only authenticated access with minimal permissions (Site Member level) to exploit. Microsoft identified parallel threat activity where two unrelated actors operated simultaneously in the same network, complicating attribution and incident
Analysis
TL;DR
- CISA added CVE-2026-45659, a high-severity remote code execution vulnerability in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities catalog due to active exploitation.
- The vulnerability stems from deserialization of untrusted data and requires only authenticated access with minimal permissions (Site Member level) to exploit.
- Microsoft identified parallel threat activity where two unrelated actors operated simultaneously in the same network, complicating attribution and incident response.
- One actor, Storm-2603, leveraged a separate critical vulnerability (CVE-2025-11371) in Gladinet Triofox for initial access before deploying ransomware and establishing persistent backdoors.
- Federal Civilian Executive Branch agencies are urged to patch SharePoint Server by July 4, 2026, while broader industry lessons highlight the complexity of multi-actor intrusions.
Why It Matters
This incident underscores the critical risk of deserialization flaws in enterprise collaboration platforms like SharePoint, which remain prime targets for ransomware groups. It demonstrates how attackers can combine known vulnerabilities with sophisticated persistence techniques to evade detection, emphasizing the need for comprehensive threat hunting rather than relying on isolated security signals.
Technical Details
- Vulnerability Analysis: CVE-2026-45659 is a Remote Code Execution (RCE) flaw caused by insecure deserialization of untrusted data, carrying a CVSS score of 8.8. It affects SharePoint Server Subscription Edition, 2019, and 2016.
- Attack Vector: Exploitation requires authentication but not elevated privileges; a user with Site Member permissions can trigger the RCE. Microsoft assessed the likelihood of exploitation as "Less Likely" despite active campaigns.
- Initial Access Method: In the observed parallel attack, Storm-2603 utilized CVE-2025-11371 (CVSS 9.1) in Gladinet Triofox, probing for local file inclusion via requests for
win.iniandweb.config. - Persistence & Evasion: Attackers used Velociraptor to mimic admin behavior, established tunnels via Cloudflare, Zoho Assist, and SSH, and employed a vulnerable driver (
NSecKrnl.sys) to disable endpoint security. A second actor used DLL side-loading and custom backdoors.
Industry Insight
- Patch Urgency: Organizations running on-premises SharePoint or related services like Gladinet Triofox must prioritize immediate patching, especially given the active exploitation and CISA's KEV listing.
- Holistic Defense Strategy: The presence of multiple concurrent threat actors in a single breach highlights the necessity for advanced detection capabilities that can identify lateral movement and anomalous tool usage (e.g., legitimate tools misused for tunneling).
- Attribution Complexity: Security teams should prepare for investigations where multiple actors may be present, requiring deeper forensic analysis to distinguish between independent intrusions and coordinated campaigns.
Disclaimer: The above content is generated by AI and is for reference only.