CVE-2026-45659: the 'forgotten' SharePoint deserialization RCE that CISA just flagged as exploited
An authenticated .NET deserialization bug in on-prem SharePoint -- patched in May, dropped from the summary, and in CISA KEV by July
The flaw lets an authenticated SharePoint user send a crafted, malicious object to the server and have it run code -- classic untrusted-data deserialization. It is not the unauthenticated 2025 "ToolShell" chain: here the attacker needs valid credentials with only Site Member (contributor) permissions before they can fire it. That single precondition is the difference between a wormable internet event and a serious post-credential problem -- and with SharePoint's history as a ransomware on-ramp, it is still one to close today.
Scores as of 2026-07-05live record →
What the flaw actually is
At its core this is a CWE-502 "deserialization of untrusted data" bug. On-prem SharePoint takes attacker-supplied data and deserializes it through a .NET path without properly validating the object graph, so a crafted payload can instantiate a gadget chain that ends in code execution as the SharePoint application-pool identity (w3wp.exe). It is the same class of wound that has hit ASP.NET and SharePoint before: untrusted input reaching a formatter (BinaryFormatter, LosFormatter/ObjectStateFormatter for ViewState, a DataSet deserializer), where the act of deserializing runs the gadget before any application logic does.
The exploitation chain
From a valid low-privilege login to code execution, a webshell, and stolen keys. The cheapest chokepoint is the patch itself -- it removes the unsafe deserialization path entirely; AMSI Full Mode is the interim brake, and the branch to MachineKey theft is why patching alone does not evict an attacker who already got in.
CVE-2026-45659 exploitation chain -- authenticated deserialization to RCE, webshell and MachineKey theft
- Authenticated SharePoint access (min. Site Member) — Precondition (PR:L). Insider, phished/sprayed account, or a chained access bug. **Prevent:** MFA, least-privilege on contributor roles, segment external access.
- Craft malicious serialized .NET object — A ysoserial.net-class gadget chain. Exact sink/endpoint undisclosed as of 5 Jul 2026 -- no public PoC exists.
- POST the payload to SharePoint over the network — AV:N, AC:L, UI:N. **Chokepoint:** AMSI Full Mode can block the malicious request body before it deserializes.
- Server deserializes untrusted data (CWE-502) — The act of deserializing triggers the gadget. **Prevent:** patching to the fixed build removes the unsafe path entirely.
- Code execution as w3wp.exe — RCE as the SharePoint app-pool identity. **Detect:** w3wp.exe spawning cmd/powershell/csc.
- Drop .aspx webshell in LAYOUTS — T1505.003 persistence. **Detect:** SigmaHQ file_event rule on LAYOUTS .aspx creation (spinstall*.aspx pattern).
- Steal ASP.NET MachineKeys -> forge ViewState — T1552 credential access. Enables re-entry AFTER patching. **Contain:** rotate MachineKeys + iisreset farm-wide.
- Persistence & lateral movement — Malicious IIS modules, scheduled tasks, credential reuse. Patch != eviction -- full IR required.
- Prevent: PATCH removes the sink — Cheapest, most reliable break: apply the fixed build (2016 >=16.0.5552.1002, 2019 >=16.0.10417.20128, SE >=16.0.19725.20280).
- Detect: w3wp spawns a shell / webshell drop — Deploy the SigmaHQ process + file rules; hunt w3wp.exe children and new LAYOUTS .aspx files.
Am I affected?
The bug affects on-prem SharePoint only -- SharePoint Online in Microsoft 365 is not affected. Do not trust your patch tracker: because the CVE was dropped from the May summary, verify the actual build. In the SharePoint Management Shell run (Get-SPFarm).BuildVersion and Get-SPProduct -Local; externally, any /_layouts/15/ request leaks the build in the MicrosoftSharePointTeamServices response header. If you already installed the May 2026 security/cumulative updates, Microsoft says no further action is needed for this flaw.
| Edition (on-prem) | Fixed build (>=) | KB (verify on MSRC) |
| SharePoint Enterprise Server 2016 | 16.0.5552.1002 | KB5002868 |
| SharePoint Server 2019 | 16.0.10417.20128 | KB5002870 |
| SharePoint Server Subscription Edition | 16.0.19725.20280 | KB5002863 |
| SharePoint Online (Microsoft 365) | Not affected | -- |
| Axis | Value | What it means |
| CVSS 3.1 | 8.8 High (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) | Network, low-complexity, but needs a login (PR:L) |
| EPSS | ~3.2% (about 87th pct) | Modest -- reflects the auth gate and no public PoC |
| CISA KEV | Listed 1 Jul 2026 (due 4 Jul) | Confirmed active exploitation; deadline already elapsed |
| Exploited in the wild | Yes -- per CISA KEV | CISA published no attack details; no reports before the listing |
| Public PoC | None (fake repos are malware) | The GitHub 'PoCs' are tinyurl-download scam lures |
| Ransomware use | Unknown / not confirmed | CISA marks ransomware use unknown for this CVE |
Timeline
Patched in May, forgotten, then KEV-flagged in July
- Patch ships quietlyMicrosoft fixes the flaw in the May 2026 updates and rates it Exploitation Less Likely -- but the CVE is inadvertently omitted from the May Security Updates summary.source
- Added to CISA KEVCISA cites evidence of active exploitation and sets a BOD 26-04 remediation deadline of 4 July 2026 (~3 days).source
- Wide coverageSecurityWeek, The Register, The Hacker News and others report CISA reversing Microsoft's less likely assessment.source
- Federal deadline (elapsed)The three-day FCEB patch deadline passes -- unpatched on-prem farms are out of compliance and in scope for exploitation.
Exploited in the wild -- what we do and don't know
The exploitation is KEV-implied, not richly documented. CISA's listing is authoritative confirmation that the bug is being used -- but the agency shared no attack details, and SecurityWeek notes there were no public in-the-wild reports before the warning. So the fact of exploitation is solid; the who and how are not public.
Detection & hunting
There is no Nuclei template or public scanner check for this CVE yet, and because exploitation is authenticated, an unauthenticated probe would only fingerprint the build anyway. So detection leans on the well-documented on-prem SharePoint deserialization-and-webshell tradecraft from the 2025 ToolShell response -- the same product and same CWE-502 class. Two high-value signals:
- Webshells in LAYOUTS: unexpected
.aspx(or.dll/.js) under...\Web Server Extensions\15\TEMPLATE\LAYOUTS\(SP2016) or\16\TEMPLATE\LAYOUTS\(SP2019/SE). ToolShell usedspinstall0.aspxand variants to dump MachineKey material. - IIS worker spawning a shell:
w3wp.exelaunchingcmd.exe/powershell.exe -EncodedCommand/csc.exe-- a healthy SharePoint worker essentially never does this. Sysmon EID 1 (ParentImage ends\w3wp.exe) plus EID 11 for the.aspxdrop. - IIS logs: anomalous POSTs carrying serialized/ViewState payloads; audit loaded IIS modules (
appcmd list modules) for fileless persistence. - Heuristic only (2025 ToolShell IoCs, not confirmed for this CVE): retro-hunt IPs 96.9.125.147 / 107.191.58.76 / 104.238.159.149 and C2
update.updatemicfosoft.com.
# SigmaHQ (verbatim, authored for CVE-2025-53770) - directly reusable for a
# SharePoint deserialization RCE: same webshell-in-LAYOUTS tradecraft.
title: Potential SharePoint Webshell Exploitation - File Create
id: ba479447-721f-42a9-9af2-6dcd517bbdb3
status: experimental
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
- 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
TargetFilename|contains:
- '\15\TEMPLATE\LAYOUTS\'
- '\16\TEMPLATE\LAYOUTS\'
TargetFilename|endswith:
- '\spinstall.aspx'
- '\spinstall?.aspx'
- '\debug_dev.js'
condition: selection
level: criticalWhat to do now
- Patch to the fixed build for your edition (see the table above). It is the only reliable fix, and the only one for SharePoint 2016/2019. Verify the build explicitly -- the CVE was missing from the May summary.
- If you cannot patch within hours: enable AMSI Full Mode (
$webApp.AMSIBodyScanMode = 2; $webApp.Update(); iisreset) as an interim control. Note request-body scanning only exists on Subscription Edition 25H1+, so AMSI is weaker on 2016/2019 -- not a substitute for the patch. - If you were exposed and unpatched during late June-July 2026, assume MachineKey theft: rotate the ASP.NET MachineKeys and
iisresetacross every server in the farm, then hunt for webshells and rogue IIS modules. Patching alone does not evict an attacker who already stole your keys. - Reduce the auth surface: review who holds Site Member/contributor rights on internet-facing farms, enforce MFA, and restrict external access while you patch.
FAQ
Is CVE-2026-45659 being exploited?
Does it need authentication?
Which versions are affected?
Is there a public exploit?
It is not ransomware and EPSS is low -- can I wait?
Is this the same as the 2025 ToolShell attacks?
Sources
- Microsoft MSRC -- CVE-2026-45659 Update Guide
- NVD -- CVE-2026-45659
- CISA Known Exploited Vulnerabilities Catalog
- Help Net Security -- High-severity SharePoint RCE patched (CVE-2026-45659)
- BleepingComputer -- CISA: Microsoft SharePoint RCE flaw now actively exploited
- SecurityWeek -- CISA warns of actively exploited Microsoft SharePoint vulnerability
- The Register -- Microsoft said exploitation was less likely; CISA added it to KEV
- Computer Weekly -- US cyber agency warns over 'forgotten' SharePoint flaw
- SOCRadar -- CISA flags SharePoint RCE (CVE-2026-45659) for active exploitation
- Microsoft -- Customer guidance for SharePoint vulnerability CVE-2025-53770 (MachineKey / AMSI IR prior art)
- SigmaHQ -- SharePoint webshell detection rules (PR #5537)