On July 1, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability affects Microsoft SharePoint Server and is categorized specifically as a "Deserialization of Untrusted Data" flaw.
According to CISA, there is evidence of active exploitation in the wild. Under Binding Operational Directive (BOD) 26-04, Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability by the specified deadlines. However, the implications extend far beyond the federal government. Deserialization vulnerabilities in widely used collaboration platforms like SharePoint are a prime vector for initial access, ransomware deployment, and lateral movement. Defenders must treat this as an active threat to their enterprise infrastructure.
Technical Analysis
Affected Products:
- Microsoft SharePoint Server (Subscription Edition)
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016 (Check specific advisory applicability)
Vulnerability Details:
- CVE ID: CVE-2026-45659
- Vulnerability Type: Deserialization of Untrusted Data (CWE-502)
- Impact: Remote Code Execution (RCE)
Mechanism of Attack: Deserialization vulnerabilities occur when an application accepts serialized objects (blobs of data representing an object state) from an untrusted source and attempts to reconstruct them without proper validation. In the context of SharePoint, this typically involves the .NET runtime handling serialized data formats (e.g., JSON, XML, or binary formatters) via a web endpoint.
An attacker can craft a malicious serialized payload that, when deserialized by the SharePoint server, triggers arbitrary code execution. This usually results in the attacker gaining SYSTEM-level privileges on the web server, as SharePoint services typically run with high privileges to function correctly.
Attack Chain:
- Reconnaissance: Attacker identifies exposed SharePoint servers (port 443/80).
- Exploitation: Attacker sends a specially crafted HTTP POST request containing a malicious serialized object to a vulnerable SharePoint API endpoint.
- Deserialization: The SharePoint application processes the request, and the .NET deserializer interprets the malicious payload.
- Execution: The payload triggers code execution within the context of the IIS worker process (
w3wp.exe). - Post-Exploitation: The attacker establishes a web shell, dumps credentials, or moves laterally into the domain.
Detection & Response
Given the active exploitation status, security teams must hunt for signs of compromise immediately. Deserialization attacks can be difficult to detect at the network level without deep packet inspection (DPI), so endpoint telemetry is critical for identifying the successful execution phase.
SIGMA Rules
The following Sigma rules focus on the high-fidelity behavioral indicators of successful RCE on SharePoint servers: the web server process spawning unauthorized shells or utilities.
---
title: Potential SharePoint Deserialization RCE - PowerShell Spawn
id: a1b2c3d4-2026-4565-9e10-123456789abc
status: experimental
description: Detects potential remote code execution via SharePoint deserialization vulnerability by identifying w3wp.exe spawning PowerShell.
references:
- https://www.cisa.gov/news-events/alerts/2026/07/01/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2026/07/02
tags:
- attack.initial_access
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\w3wp.exe'
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate administrative scripts running on SharePoint servers (rare)
level: high
---
title: Potential SharePoint Deserialization RCE - Cmd Shell Spawn
id: b2c3d4e5-2026-4565-9f21-234567890bcd
status: experimental
description: Detects potential remote code execution via SharePoint deserialization vulnerability by identifying w3wp.exe spawning cmd.exe.
references:
- https://www.cisa.gov/news-events/alerts/2026/07/01/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2026/07/02
tags:
- attack.initial_access
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\w3wp.exe'
Image|endswith: '\cmd.exe'
condition: selection
falsepositives:
- Authorized system administration
level: high
KQL (Microsoft Sentinel / Defender)
Use this KQL query to hunt for suspicious child processes spawned by the SharePoint IIS worker process.
DeviceProcessEvents
| where InitiatingProcessFileName =~ "w3wp.exe"
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "cscript.exe", "wscript.exe", "regsvr32.exe")
| project Timestamp, DeviceName, AccountName, FileName, InitiatingProcessCommandLine, CommandLine, FolderPath
| order by Timestamp desc
Velociraptor VQL
This artifact hunts for processes where the parent is the SharePoint worker process, indicative of a web shell or direct command execution.
-- Hunt for suspicious processes spawned by SharePoint Worker Process
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, PPid
FROM pslist()
WHERE ParentName =~ "w3wp.exe"
AND Name IN ("cmd.exe", "powershell.exe", "pwsh.exe", "bash.exe")
Remediation Script (PowerShell)
This script assists in the identification of the vulnerable software version by checking the file version of the core SharePoint assembly. Note: You must update the $TargetMinVersion variable based on the specific build numbers released in the official Microsoft Security Update for CVE-2026-45659.
# Check SharePoint Server Version for CVE-2026-45659 Exposure
# Requires Administrative Privileges
Write-Host "[+] Checking for SharePoint Server installations..." -ForegroundColor Cyan
# Define the target fixed version (HYPOTHETICAL - VERIFY WITH MSRC ADVISORY)
# Replace with the actual secure build number from the Microsoft patch release
$TargetMinVersion = New-Object System.Version("16.0.18000.1000")
$SharePointPaths = @(
"${env:CommonProgramFiles}\Microsoft Shared\Web Server Extensions\16\ISAPI",
"${env:CommonProgramFiles(x86)}\Microsoft Shared\Web Server Extensions\16\ISAPI"
)
$VulnerableFound = $false
foreach ($Path in $SharePointPaths) {
if (Test-Path $Path) {
$DllPath = Join-Path $Path "Microsoft.SharePoint.dll"
if (Test-Path $DllPath) {
$FileInfo = Get-Item $DllPath
$FileVersion = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($DllPath).FileVersion
$FileVerObj = New-Object System.Version($FileVersion)
Write-Host "[INFO] Found SharePoint DLL at: $DllPath"
Write-Host "[INFO] Current Version: $FileVersion"
if ($FileVerObj -lt $TargetMinVersion) {
Write-Host "[ALERT] Version is lower than target fix ($TargetMinVersion). System is likely VULNERABLE to CVE-2026-45659." -ForegroundColor Red
$VulnerableFound = $true
} else {
Write-Host "[OK] Version meets or exceeds target fix." -ForegroundColor Green
}
}
}
}
if (-not $VulnerableFound) {
Write-Host "[INFO] No vulnerable instances detected based on provided target version." -ForegroundColor Green
}
Remediation
1. Apply Security Updates Immediately: Microsoft has released security updates to address this vulnerability. Apply the patches for your specific version of SharePoint Server immediately.
- Action: Review the Microsoft Security Response Center (MSRC) advisory for CVE-2026-45659 and download the cumulative update.
- Priority: Critical.
2. Validate CISA BOD 26-04 Deadlines: For FCEB agencies, CISA mandates remediation by the deadline specified in the KEV entry (typically within 3 weeks for CVEs added to the catalog). Private sector organizations should align with this timeline.
3. Network Controls (Temporary Mitigation): If patching is delayed, restrict internet-facing access to SharePoint servers from untrusted networks. Ensure Web Application Firewalls (WAF) are updated with signatures to block common deserialization payloads.
4. Audit for Compromise:
Assume that unpatched servers exposed to the internet may already be compromised. Use the detection queries above to hunt for w3wp.exe spawning shells in the last 30 days.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.