Critical SharePoint RCE (CVE-2026-45659) Actively Exploited – Added to CISA KEV
Key Questions
What is the SharePoint RCE vulnerability CVE-2026-45659?
It is a critical remote code execution flaw in SharePoint Server that is actively exploited and has been added to CISA's Known Exploited Vulnerabilities catalog. Microsoft IR has reported parallel threat actor activity involving ransomware and hidden backdoors.
What actions should organizations take regarding the SharePoint exploit?
IT leaders must patch SharePoint Server immediately and monitor for post-exploitation indicators such as deserialization activity. CISA has issued orders for federal agencies to patch before ransomware actors strike.
Are other vulnerabilities being exploited alongside SharePoint?
Yes, active exploitation of Cisco UCM vulnerabilities is occurring in parallel with the SharePoint RCE attacks. This creates combined risks for collaboration and infrastructure environments.
A critical remote code execution vulnerability in SharePoint Server (CVE-2026-45659) is now actively exploited and added to CISA's Known Exploited Vulnerabilities catalog. Microsoft IR reports a parallel threat actor case showing ransomware and hidden backdoors. New technical details include deserialization mechanics, patch steps, and post-exploitation indicators. IT leaders must patch SharePoint immediately and monitor for post-exploitation activity.