CISA adds SharePoint CVE-2026-45659 to KEV, FCEB deadline July 4
CISA added SharePoint RCE CVE-2026-45659 to the KEV catalog on July 1 after confirmed exploitation. Deserialization bug patched OOB May 21; FCEB agencies have three days.
CISA added CVE-2026-45659 to the Known Exploited Vulnerabilities catalog on Wednesday, July 1, 2026, citing confirmed exploitation in the wild. The bug is a deserialization of untrusted data (CWE-502) remote code execution in Microsoft SharePoint Server, CVSS 8.8. Microsoft patched it out-of-band on May 21, 2026. The FCEB remediation deadline is July 4, 2026 — a three-day window on a KEV entry, unusually tight and driven by the active-exploitation flag.
Affected versions
Per the Microsoft Security Update Guide entry for CVE-2026-45659:
- SharePoint Server Subscription Edition before build 16.0.19725.20280
- SharePoint Server 2019 before build 16.0.10417.20128
- SharePoint Enterprise Server 2016 before build 16.0.5552.1002
SharePoint Online (Microsoft 365) is not affected — this is on-premises only.
What the bug does
An authenticated attacker with a minimum of Site Member permissions can send a crafted request that causes the SharePoint server-side pipeline to deserialize attacker-controlled data. The gadget chain lands as remote code execution in the SharePoint worker process. No admin rights, no elevated privileges, no user interaction on the victim side. Microsoft's advisory keeps the "network / authenticated / low complexity" combination that yields CVSS 8.8 (PR:L / UI:N / AC:L / AV:N / S:U / C:H / I:H / A:H).
Site Member is the second-lowest built-in permission level. Any user granted contribute rights on any site collection is in scope; on internet-facing SharePoint instances with self-registration or open guest access, that's effectively "any authenticated user."
Patch and rollout timing
Microsoft published the fix as an out-of-band update on May 21, 2026, packaged as:
- KB5002863 — SharePoint Server Subscription Edition
- KB5002870 — SharePoint Server 2019
- KB5002868 — SharePoint Enterprise Server 2016
MSRC documented separately that CVE-2026-45659 was inadvertently omitted from the May 2026 Security Updates release notes — the fix shipped in the May Patch Tuesday builds, but the CVE metadata was published later. Practically: if the May 2026 SharePoint updates have been applied, no additional action is required for the patch itself. Customers still tracking against the release-notes CVE list may have marked this as "not applicable" and missed the mitigation. The Microsoft SRC page for the CVE is now the authoritative reference — confirm build numbers there against your farm inventory, not against the initial May 13 patch bulletin.
Exploitation status
CISA's KEV addition is the operative attribution: the catalog entry names "confirmed exploitation in the wild," and the tight three-day FCEB deadline is CISA's internal signal that exploitation is not theoretical. Microsoft's original May advisory rated exploitation as "less likely." That assessment has been overtaken by events.
Neither CISA nor Microsoft has named the actor or published detection artifacts (IOCs, YARA, Sigma). Reporting from The Hacker News and Help Net Security does not name a threat cluster, and no public PoC has surfaced against this specific CVE at the time of writing.
Action checklist
- Confirm the May 21 OOB is deployed on every SharePoint farm. Compare farm build numbers against 16.0.19725.20280 (Subscription Edition), 16.0.10417.20128 (2019), and 16.0.5552.1002 (2016). Do not rely on the May 2026 release-notes CVE list — this fix was published under the wrong metadata.
- Meet the July 4 FCEB deadline if you're in FCEB scope, or apply the same deadline to your own farms if you're state, local, tribal, territorial, or a regulated private-sector operator that mirrors federal timelines.
- Audit Site Member and Contributor grants on internet-reachable SharePoint sites. Anyone at Site Member or above can trigger the bug post-authentication. Self-service site creation, guest access with contribute rights, and stale service-account credentials all widen the attack population.
- Review IIS and SharePoint ULS logs for anomalous POSTs to
_layouts/,_vti_bin/, and content-type application/octet-stream requests from unexpected user contexts, starting from May 21, 2026. Absent published IOCs, log review keyed on the deserialization sinks Microsoft addressed is the best available detection. - Isolate on-prem SharePoint from direct internet exposure where possible. SharePoint Server is not designed to be an internet-facing publishing platform; reverse-proxy termination with strict WAF rules on request bodies is a defensible interim control if patching is delayed.
Context
This is the third SharePoint deserialization RCE added to KEV in eighteen months. The pattern — SharePoint's server-side pipeline processes serialized objects across multiple entry points, and each new gadget chain surfaces months after the underlying bug lands in the codebase — is now well established. Every quarter that on-prem SharePoint remains internet-reachable is another quarter waiting for the next KEV entry.
What other outlets missed
Coverage from The Hacker News, SecurityAffairs, and Help Net Security leads on the KEV addition and the May patch, but understates the metadata gap: because MSRC omitted CVE-2026-45659 from the May 2026 release notes and re-attached the CVE later, any organisation using the release-notes-driven "installed rollup covers listed CVEs" model may have marked this as covered without checking build numbers. The remediation is trivial if the May Patch Tuesday build is on the farm; the failure mode is thinking it isn't applicable because the release notes said so on May 13.