Threat Bulletin

On-premises SharePoint RCE has been actively exploited, and support for 2016/2019 ends in one week

ALERT ESSENTIALS

A remote code execution vulnerability in on-premises Microsoft SharePoint Server — CVE-2026-45659 is under active exploitation and was added to CISA’s Known Exploited Vulnerabilities catalog on July 1, 2026. The federal remediation deadline (July 4) has already passed. Microsoft shipped the fix in cumulative updates on May 12th, 2026, but didn’t publicly document the CVE until May 22nd. Organizations that reviewed May’s release notes may have missed it. An authenticated attacker needs only baseline Site Member permission to trigger it; no admin rights required. Patch immediately.

THREAT DESCRIPTION

CVE-2026-45659 (CVSS 8.8, CWE-502 deserialization of untrusted data) affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. An attacker holding Site Member permissions, the default access level for most enterprise SharePoint users, can submit a crafted deserialization payload to execute arbitrary code under the SharePoint application pool identity. No privilege escalation or pre-auth bypass is required, so any account compromised via phishing, infostealers, or credential stuffing is a viable entry point.

CISA confirmed active exploitation on July 1 and has not yet published attribution. Reporting this CVE to the Storm-2603/Warlock ransomware operation is unconfirmed — Microsoft’s own reporting on recent Storm-2603 activity cites a different vulnerability as the entry point in that investigation. Treat exploitation as unattributed until CISA or Microsoft states otherwise. SharePoint Online / Microsoft 365 is not affected.

HEALTHCARE IMPACT

On-prem SharePoint farms are common in healthcare for clinical collaboration and partner document sharing, typically reachable by a broad set of accounts — any one of which meets this flaw’s low bar. A compromised server can expose PHI-adjacent documents and pivot into identity-integrated systems; if patient data was accessible, HIPAA breach notification obligations apply. Shadowserver was tracking 10,000+ internet-exposed SharePoint servers as of early July.

AFFECTED PRODUCTS / CVE REFERENCE

CVE
Impacted Versions
Fix
CVSS
CWE
CISA KEV
Tenable Plugin
CVE-2026-45659
SharePoint Subscription Ed.
< 16.0.19725.20280
KB5002863
May ’26 CU
8.8
CWE-502
Yes
Due 7/4/26
Passed
314338
CVE-2026-45659
SharePoint Enterprise Server 2016
< 16.0.5552.1002
KB5002868
May ’26 CU
8.8
CWE-502
Yes
Due 7/4/26
Passed
314344
CVE-2026-45659
SharePoint Server 2019
< 16.0.10417.20128
KB5002870
May ’26 CU
8.8
CWE-502
Yes
Due 7/4/26
Passed
314345

Note: Same CVE across all three on-prem editions; SharePoint Online is unaffected. 2016 and 2019 also reach the end of extended support 7/14/26 — see Admin/Executive Recommendations

RECOMMENDATIONS

Patching & Remediation

  • Apply the May 2026 cumulative update matching your farm version — KB5002868 (2016), KB5002870 (2019), or KB5002863 (Subscription Edition) via the Microsoft Update Catalog, then verify with Get-SPFarm | Select-Object BuildVersion.
  • Run the Products Configuration Wizard on every server (app server first, then each front-end), then iisreset /restart on each front-end — skipping either can leave a vulnerable endpoint live post-patch.
  • Treat patching and compromise assessment as parallel, not sequential; the gap between patch availability (May 12) and confirmed exploitation (by July 1) means some servers may already be compromised.

Detection / Threat Hunting

  • Run Tenable plugins 314344 (2016), 314345 (2019), and 314338 (Subscription Edition) to confirm patch coverage — a clean scan does not rule out prior compromise.
  • Hunt for w3wp.exe spawning PowerShell/cmd.exe, unrecognized ASPX files under _layouts, and outbound connections to remote-access tooling from SharePoint servers.

Hardening / Compensating Controls

  • Audit Site Member+ permissions across every site collection, deprovision contractor, service, and legacy accounts without a standing need.
  • Rotate ASP.NET machine keys on all SharePoint servers regardless of confirmed compromises; prior campaigns have used stolen keys to persist through patching.

Admin / Executive Recommendations

  • If PHI-adjacent content was reachable through a compromised site, initiate HIPAA breach determination; the 60-day OCR clock starts at confirmed compromise, not patch completion.
  • SharePoint 2016 and 2019 reach the end of extended support on July 14, 2026, one week out, no ESU program announced. Any org still on 2016/2019 needs a migration or isolation decision now, independent of this CVE.

Sources



From Fortified Health Security

Fortified Health Security is committed to maturing your healthcare organization’s cybersecurity posture. We will monitor and update this bulletin as the situation progresses.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

Should you have any questions about this threat or any other issue you are facing, please reach out to us. We’re here to help you on your cybersecurity journey.

Email: connect@fortifiedhealthsecurity.com    Phone: 615-600-4002

Share