CVE-2026-45659 (CVSS 8.8): SharePoint RCE Now in CISA’s KEV — Storm-2603 Is Already Knocking
Microsoft called it “less likely.” CISA called it confirmed active exploitation — and gave federal agencies 72 hours to fix it. On 1 July 2026, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog, the gold standard for “patch this now, not next quarter.” The vulnerability — a CVSS 8.8 remote code execution flaw rooted in the way Microsoft SharePoint Server deserializes untrusted data — has been patchable since May 2026. If you haven’t applied the fix, someone may have already used it as a door into your network.
For Indian IT teams running SharePoint on-premises as the backbone of their enterprise intranet, this is not a routine advisory. The CISA deadline of 4 July 2026 for federal agencies is a benchmark that every Indian organisation should mirror — and beat.
- CVE-2026-45659 is a CVSS 8.8 deserialization RCE in SharePoint Server Subscription Edition, 2019, and 2016.
- CISA added it to its KEV catalog on July 1, 2026 — meaning confirmed, real-world exploitation is already happening.
- The bar to exploit is dangerously low: any authenticated user with Site Member permissions can trigger arbitrary code execution over the network.
- Threat actor Storm-2603 has a documented history of weaponising SharePoint deserialization bugs, deploying Warlock ransomware after gaining access.
- Patches shipped in May 2026. The federal remediation deadline is 4 July 2026. There is no acceptable reason to still be unpatched.
What Is CVE-2026-45659 and Why Is It Dangerous?
CVE-2026-45659 is a deserialization of untrusted data vulnerability (CWE-502) in Microsoft SharePoint Server. Deserialization bugs are notoriously dangerous because they allow an attacker to craft a malicious byte stream that, when the application tries to reconstruct it as an object, hijacks the execution flow and runs arbitrary code. In SharePoint’s case, that code runs in the context of the SharePoint service account — an account that typically holds significant privileges on its host Windows server.
What makes CVE-2026-45659 especially alarming is the near-zero friction for attackers. Exploitation requires only a valid SharePoint login at Site Member level — the default access tier granted to most intranet users in the average Indian enterprise. No administrator rights. No privilege escalation required at the point of entry. A phished employee, a rogue contractor, or a threat actor who has already bought a credential bundle on a cybercrime forum has everything they need.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-45659 |
| CVSS Base Score | 8.8 (High) |
| Vulnerability Class | Deserialization of Untrusted Data (CWE-502) |
| Attack Vector | Network (no local access required) |
| Authentication Required | Low — Site Member permissions only |
| Affected Products | SharePoint Server Subscription Edition, 2019, 2016 |
| SharePoint Online (M365) Affected? | No — cloud-only tenants were patched by Microsoft |
| Patch Released | May 2026 Cumulative Update |
| CISA KEV Added | 1 July 2026 |
| Federal Remediation Deadline | 4 July 2026 |
Storm-2603: The Ransomware Group Already at the Door
While CISA declined to name the specific threat actors exploiting CVE-2026-45659 in its advisory, Microsoft’s own threat intelligence fills the gap. Storm-2603, a financially motivated threat actor active since at least mid-2025, has a well-documented pattern of targeting SharePoint deserialization vulnerabilities as initial access vectors. Once inside, the group follows a methodical kill chain that transforms a single compromised SharePoint credential into a full ransomware deployment:
- Initial Access: Exploit a deserialization vulnerability (such as CVE-2026-45659) using authenticated credentials to gain a foothold on the SharePoint server.
- Discovery: Probe the host for configuration files — particularly
win.iniandweb.config— to map server topology and locate additional credentials or service account details. - Persistence via Trusted Binaries: Deploy Cloudflare Tunnel (
cloudflared.exe) — a digitally signed binary that most enterprise firewalls treat as legitimate — as a covert, outbound-only command-and-control channel that bypasses traditional perimeter controls. - Secondary Remote Access: Install commercial RMM tools such as Zoho Assist and establish SSH tunnels as additional C2 pathways, providing redundancy if one channel is discovered and blocked.
- Privilege Escalation: Create new local administrator accounts on the SharePoint host to ensure persistence survives any attempt to reset service account passwords.
- Lateral Movement and Ransomware Deployment: Pivot across the internal network to reach Active Directory, backup servers, and file stores before detonating Warlock ransomware across the estate.
This kill chain is not theoretical. It mirrors the ransomware timelines I have personally responded to across Indian enterprise clients — and in every incident, the first domino was an unpatched, reachable service. Ransomware groups can complete this chain in under an hour once they have confirmed initial access. A delayed patch is not a calculated risk — it is an open invitation.
For further context on this exploitation activity, both The Hacker News and SecurityWeek have detailed reporting on CISA’s alert and Storm-2603’s connection to this vulnerability class.
Why “Exploitation Less Likely” Was the Wrong Signal to Trust
When Microsoft released the May 2026 Cumulative Update, its Exploitability Assessment for CVE-2026-45659 read “Exploitation Less Likely.” This is a predictive score assigned at time of patching — before the security community has reverse-engineered the patch, before proof-of-concept code appears in the wild, and before threat actors have had weeks to study the delta between patched and unpatched DLLs.
History is unambiguous: a significant percentage of “Exploitation Less Likely” vulnerabilities eventually see real-world attacks, particularly when they are:
- Low-barrier (authenticated-only, not unauthenticated) — easier to weaponise for targeted attacks
- Present in widely deployed, network-facing enterprise software
- Deserialization-based — a vulnerability class well understood by advanced threat actors
CVE-2026-45659 checked all three boxes. CISA’s KEV listing has removed all ambiguity. A vulnerability only enters the KEV catalog on the basis of confirmed, documented exploitation — not theoretical risk or available exploit code. The agency’s official advisory and its binding directive to federal agencies underscore how seriously it views the threat activity it has observed.
What You Should Do Right Now: Sanjay Seth’s Incident Response Checklist
As a consultant who has hardened SharePoint environments across BFSI, manufacturing, and government organisations in Delhi NCR, here is precisely what I am telling clients this week:
Immediate — Before End of Business Today
- Identify every SharePoint on-premises instance in your environment — Subscription Edition, 2019, and 2016 are all affected. Perform a shadow IT scan; unregistered instances are common in organisations that have grown through M&A or regional office expansion.
- Apply the May 2026 Cumulative Update from the Microsoft Security Response Center advisory for CVE-2026-45659. Stage it in a pre-production environment for a rapid smoke test, but do not allow the testing cycle to push production patching beyond 48 hours.
- Audit SharePoint authentication logs for anomalies from May 2026 onward: logins from unfamiliar IP addresses, service accounts accessing SharePoint at unusual hours, or authenticated sessions followed immediately by large-volume data reads or unusual POST requests to page-execution endpoints.
- Block
cloudflared.exeat the endpoint via your EDR or application control policy. Because it is a signed Cloudflare binary, it frequently evades basic firewall blocks — an endpoint-side hash or publisher-name rule is the effective control.
Short-Term Hardening — This Week
- Tighten SharePoint role assignments. The exploit requires only Site Member access. If your intranet grants every employee Site Member or higher by default — a common lazy-admin configuration — tighten this immediately. The smaller the set of valid authenticated identities, the smaller the pool of credentials an attacker can use.
- Enable WAF rules for .NET deserialization patterns upstream of SharePoint. If you’re running FortiGate, ensure your IPS signature database is current and that the application control profile enforcing inspection on your SharePoint-facing interface includes the relevant deserialization detection signatures.
- Hunt for rogue local administrator accounts created on SharePoint hosts since May 2026. Storm-2603’s tactic of creating new admin accounts as a persistence mechanism means these will survive a password reset of the original service account.
- Validate your SIEM alert coverage for Zoho Assist and
cloudflared.exeprocess executions. A security tool you’re not monitoring is just a speed bump for a determined attacker.
Strategic Layer: Zero-Trust Limits the Blast Radius
Even a fully exploited SharePoint RCE becomes dramatically less catastrophic inside a mature zero-trust architecture. Micro-segmentation between SharePoint and your domain controllers, identity-aware east-west inspection, and per-session conditional access means that an attacker who achieves code execution on the SharePoint host cannot simply walk laterally to Active Directory and backup infrastructure. CVE-2026-45659 is a compelling, concrete argument to bring to your CISO or CFO if zero-trust investment has stalled in budget discussions.
The India Context: Why This Hits Harder Here
India’s enterprise sector — particularly BFSI, manufacturing, government PSUs, and IT/BPO — runs a significant on-premises Microsoft stack. SharePoint 2016 and 2019 installations are widespread, often deployed in data centres with change-control processes that were never designed around a 72-hour emergency patch cycle. The Subscription Edition footprint is growing but by no means universal.
CERT-In’s six-hour mandatory incident disclosure rule means that if Storm-2603 or any affiliated group exploits CVE-2026-45659 in an Indian organisation and deploys Warlock ransomware, the forensic investigation — establishing timeline, identifying exfiltrated data, determining blast radius — will be substantially more expensive than any emergency patch window that was skipped. Indian organisations are not bound by the CISA July 4 federal deadline, but treating it as the global benchmark for urgency is the right call.
India also presents a specific risk amplifier: many SharePoint deployments are accessible via VPN-gated intranets, but the VPN endpoints themselves are sometimes unmonitored, creating a path where a compromised credential — particularly from a remote or hybrid worker — can reach SharePoint without triggering any perimeter alert.
Frequently Asked Questions
Does CVE-2026-45659 affect SharePoint Online (Microsoft 365)?
No. CVE-2026-45659 is exclusively an on-premises vulnerability affecting SharePoint Server Subscription Edition, 2019, and 2016. Microsoft 365 SharePoint Online is managed infrastructure where Microsoft applied backend mitigations without requiring customer action. If your entire SharePoint footprint lives in M365, you are not directly exposed by this CVE — however, organisations running hybrid configurations where on-premises SharePoint servers synchronise with or relay traffic to M365 should audit those integration points separately.
What compensating controls apply if we cannot patch immediately?
If an emergency patch window cannot be opened within 48 hours, apply the following in order of priority: (1) restrict network access to SharePoint so only trusted IP ranges — managed corporate endpoints and VPN egress addresses — can reach the application layer; (2) enforce conditional access requiring compliant, managed devices for all SharePoint authentication; (3) remove or audit all Site Member and above assignments to reduce the credential pool available to an attacker; (4) enable the tightest available WAF/IPS profile upstream of SharePoint. These controls do not eliminate the risk — only the patch does — but they raise the bar considerably.
How do I determine if we have already been compromised via this CVE?
Run a focused threat hunt: search endpoint logs on all SharePoint hosts for cloudflared.exe or Zoho Assist execution events since May 2026; review SharePoint ULS logs for unexpected HTTP 500 errors on /_layouts/ or /_vti_bin/ paths that correlate with deserialization exceptions; check Windows Security logs on SharePoint hosts for new local administrator account creation events; and look for web.config or win.ini file reads initiated by the IIS worker process outside of deployment windows. If any of these indicators are present, treat the host as compromised and engage an incident response team immediately.
Is there a public exploit available for CVE-2026-45659?
As of 3 July 2026, no fully weaponised, publicly released exploit code has been confirmed. However, CISA’s KEV listing means exploitation is occurring using non-public methods — almost certainly through patch-diffing the May 2026 update or via private exploit code circulating in threat-actor communities. The absence of a public exploit is not a reason to delay patching; confirmed in-the-wild exploitation is the only signal you need to act with urgency.
Ready to Harden Your SharePoint Environment?
Understanding that a vulnerability exists is only the first step. Knowing your specific SharePoint environment’s exposure — exactly which versions you’re running, how they’re segmented from the rest of your network, which accounts could be leveraged, whether indicators of compromise already exist from the past 60 days — requires hands-on analysis from someone who has done this work at scale.
That is what I do for organisations across Delhi NCR and across India. Whether you need patch validation, a focused threat hunt for Storm-2603 indicators, perimeter segmentation review, or a full zero-trust readiness assessment, I can help you move from “we’re aware” to “we’re protected.”
Request a Security Assessment →
Conversations are confidential. The initial discussion carries no obligation.