CVE Tools
Back to blog

CVE-2026-45659: the 'forgotten' SharePoint deserialization RCE that CISA just flagged as exploited

An authenticated .NET deserialization bug in on-prem SharePoint -- patched in May, dropped from the summary, and in CISA KEV by July

The flaw lets an authenticated SharePoint user send a crafted, malicious object to the server and have it run code -- classic untrusted-data deserialization. It is not the unauthenticated 2025 "ToolShell" chain: here the attacker needs valid credentials with only Site Member (contributor) permissions before they can fire it. That single precondition is the difference between a wormable internet event and a serious post-credential problem -- and with SharePoint's history as a ransomware on-ramp, it is still one to close today.

What the flaw actually is

At its core this is a CWE-502 "deserialization of untrusted data" bug. On-prem SharePoint takes attacker-supplied data and deserializes it through a .NET path without properly validating the object graph, so a crafted payload can instantiate a gadget chain that ends in code execution as the SharePoint application-pool identity (w3wp.exe). It is the same class of wound that has hit ASP.NET and SharePoint before: untrusted input reaching a formatter (BinaryFormatter, LosFormatter/ObjectStateFormatter for ViewState, a DataSet deserializer), where the act of deserializing runs the gadget before any application logic does.

The exploitation chain

From a valid low-privilege login to code execution, a webshell, and stolen keys. The cheapest chokepoint is the patch itself -- it removes the unsafe deserialization path entirely; AMSI Full Mode is the interim brake, and the branch to MachineKey theft is why patching alone does not evict an attacker who already got in.

CVE-2026-45659 exploitation chain -- authenticated deserialization to RCE, webshell and MachineKey theft

  1. Authenticated SharePoint access (min. Site Member) — Precondition (PR:L). Insider, phished/sprayed account, or a chained access bug. **Prevent:** MFA, least-privilege on contributor roles, segment external access.
  2. Craft malicious serialized .NET object — A ysoserial.net-class gadget chain. Exact sink/endpoint undisclosed as of 5 Jul 2026 -- no public PoC exists.
  3. POST the payload to SharePoint over the network — AV:N, AC:L, UI:N. **Chokepoint:** AMSI Full Mode can block the malicious request body before it deserializes.
  4. Server deserializes untrusted data (CWE-502) — The act of deserializing triggers the gadget. **Prevent:** patching to the fixed build removes the unsafe path entirely.
  5. Code execution as w3wp.exe — RCE as the SharePoint app-pool identity. **Detect:** w3wp.exe spawning cmd/powershell/csc.
  6. Drop .aspx webshell in LAYOUTS — T1505.003 persistence. **Detect:** SigmaHQ file_event rule on LAYOUTS .aspx creation (spinstall*.aspx pattern).
  7. Steal ASP.NET MachineKeys -> forge ViewState — T1552 credential access. Enables re-entry AFTER patching. **Contain:** rotate MachineKeys + iisreset farm-wide.
  8. Persistence & lateral movement — Malicious IIS modules, scheduled tasks, credential reuse. Patch != eviction -- full IR required.
  9. Prevent: PATCH removes the sink — Cheapest, most reliable break: apply the fixed build (2016 >=16.0.5552.1002, 2019 >=16.0.10417.20128, SE >=16.0.19725.20280).
  10. Detect: w3wp spawns a shell / webshell drop — Deploy the SigmaHQ process + file rules; hunt w3wp.exe children and new LAYOUTS .aspx files.

Am I affected?

The bug affects on-prem SharePoint only -- SharePoint Online in Microsoft 365 is not affected. Do not trust your patch tracker: because the CVE was dropped from the May summary, verify the actual build. In the SharePoint Management Shell run (Get-SPFarm).BuildVersion and Get-SPProduct -Local; externally, any /_layouts/15/ request leaks the build in the MicrosoftSharePointTeamServices response header. If you already installed the May 2026 security/cumulative updates, Microsoft says no further action is needed for this flaw.

Edition (on-prem)Fixed build (>=)KB (verify on MSRC)
SharePoint Enterprise Server 201616.0.5552.1002KB5002868
SharePoint Server 201916.0.10417.20128KB5002870
SharePoint Server Subscription Edition16.0.19725.20280KB5002863
SharePoint Online (Microsoft 365)Not affected--
AxisValueWhat it means
CVSS 3.18.8 High (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)Network, low-complexity, but needs a login (PR:L)
EPSS~3.2% (about 87th pct)Modest -- reflects the auth gate and no public PoC
CISA KEVListed 1 Jul 2026 (due 4 Jul)Confirmed active exploitation; deadline already elapsed
Exploited in the wildYes -- per CISA KEVCISA published no attack details; no reports before the listing
Public PoCNone (fake repos are malware)The GitHub 'PoCs' are tinyurl-download scam lures
Ransomware useUnknown / not confirmedCISA marks ransomware use unknown for this CVE

Timeline

Patched in May, forgotten, then KEV-flagged in July

  1. Patch ships quietly
    Microsoft fixes the flaw in the May 2026 updates and rates it Exploitation Less Likely -- but the CVE is inadvertently omitted from the May Security Updates summary.
    source
  2. Added to CISA KEV
    CISA cites evidence of active exploitation and sets a BOD 26-04 remediation deadline of 4 July 2026 (~3 days).
    source
  3. Wide coverage
    SecurityWeek, The Register, The Hacker News and others report CISA reversing Microsoft's less likely assessment.
    source
  4. Federal deadline (elapsed)
    The three-day FCEB patch deadline passes -- unpatched on-prem farms are out of compliance and in scope for exploitation.

Exploited in the wild -- what we do and don't know

The exploitation is KEV-implied, not richly documented. CISA's listing is authoritative confirmation that the bug is being used -- but the agency shared no attack details, and SecurityWeek notes there were no public in-the-wild reports before the warning. So the fact of exploitation is solid; the who and how are not public.

Detection & hunting

There is no Nuclei template or public scanner check for this CVE yet, and because exploitation is authenticated, an unauthenticated probe would only fingerprint the build anyway. So detection leans on the well-documented on-prem SharePoint deserialization-and-webshell tradecraft from the 2025 ToolShell response -- the same product and same CWE-502 class. Two high-value signals:

  • Webshells in LAYOUTS: unexpected .aspx (or .dll/.js) under ...\Web Server Extensions\15\TEMPLATE\LAYOUTS\ (SP2016) or \16\TEMPLATE\LAYOUTS\ (SP2019/SE). ToolShell used spinstall0.aspx and variants to dump MachineKey material.
  • IIS worker spawning a shell: w3wp.exe launching cmd.exe/powershell.exe -EncodedCommand/csc.exe -- a healthy SharePoint worker essentially never does this. Sysmon EID 1 (ParentImage ends \w3wp.exe) plus EID 11 for the .aspx drop.
  • IIS logs: anomalous POSTs carrying serialized/ViewState payloads; audit loaded IIS modules (appcmd list modules) for fileless persistence.
  • Heuristic only (2025 ToolShell IoCs, not confirmed for this CVE): retro-hunt IPs 96.9.125.147 / 107.191.58.76 / 104.238.159.149 and C2 update.updatemicfosoft.com.
# SigmaHQ (verbatim, authored for CVE-2025-53770) - directly reusable for a
# SharePoint deserialization RCE: same webshell-in-LAYOUTS tradecraft.
title: Potential SharePoint Webshell Exploitation - File Create
id: ba479447-721f-42a9-9af2-6dcd517bbdb3
status: experimental
logsource:
  product: windows
  category: file_event
detection:
  selection:
    TargetFilename|startswith:
      - 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
      - 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
    TargetFilename|contains:
      - '\15\TEMPLATE\LAYOUTS\'
      - '\16\TEMPLATE\LAYOUTS\'
    TargetFilename|endswith:
      - '\spinstall.aspx'
      - '\spinstall?.aspx'
      - '\debug_dev.js'
  condition: selection
level: critical

What to do now

  1. Patch to the fixed build for your edition (see the table above). It is the only reliable fix, and the only one for SharePoint 2016/2019. Verify the build explicitly -- the CVE was missing from the May summary.
  2. If you cannot patch within hours: enable AMSI Full Mode ($webApp.AMSIBodyScanMode = 2; $webApp.Update(); iisreset) as an interim control. Note request-body scanning only exists on Subscription Edition 25H1+, so AMSI is weaker on 2016/2019 -- not a substitute for the patch.
  3. If you were exposed and unpatched during late June-July 2026, assume MachineKey theft: rotate the ASP.NET MachineKeys and iisreset across every server in the farm, then hunt for webshells and rogue IIS modules. Patching alone does not evict an attacker who already stole your keys.
  4. Reduce the auth surface: review who holds Site Member/contributor rights on internet-facing farms, enforce MFA, and restrict external access while you patch.

FAQ

Is CVE-2026-45659 being exploited?
Yes -- CISA added it to the KEV catalog on 1 July 2026, which means it has evidence of active exploitation. CISA has not shared attack details, and there were no public in-the-wild reports before the listing. Run a free exposure check.
Does it need authentication?
Yes. An attacker needs valid SharePoint credentials with a minimum of Site Member (contributor) permissions. That is a lower bar than admin, but it is not an unauthenticated internet-wide exploit like the 2025 ToolShell chain.
Which versions are affected?
On-prem SharePoint Enterprise Server 2016, Server 2019, and Subscription Edition. SharePoint Online (Microsoft 365) is not affected. Fixed in the May 2026 updates.
Is there a public exploit?
No legitimate public PoC exists as of 5 July 2026. The GitHub repositories that appear for this CVE are scam/malware lures, not working exploits -- do not run them.
It is not ransomware and EPSS is low -- can I wait?
No. It is in KEV (confirmed exploitation), the federal deadline has passed, over 10,000 SharePoint servers are exposed online, and a deserialization RCE hands attackers persistence via stolen keys. Patch on-prem farms now.
Is this the same as the 2025 ToolShell attacks?
No. ToolShell (CVE-2025-49704/49706/53770/53771) was an unauthenticated chain. CVE-2026-45659 is a distinct, authenticated deserialization bug -- though the detection and incident-response playbook (webshell hunting, MachineKey rotation) carries over directly.

Sources