Microsoft SharePoint Server is back on the front line. On July 1, 2026, CISA added CVE-2026-45659 — a deserialization-of-untrusted-data flaw enabling remote code execution — to its Known Exploited Vulnerabilities (KEV) catalog and gave federal civilian agencies an unusually aggressive deadline: patch by July 4. Three days, over a holiday weekend. The standard KEV remediation window is three weeks. When CISA compresses it to three days, it’s telling you what its incident-response teams are already seeing.

What they’re seeing, according to multiple threat intelligence reports, is exploitation connected to Warlock ransomware and the China-linked operator Microsoft tracks as Storm-2603 — the same pairing that turned 2025’s ToolShell SharePoint crisis into a global ransomware event.

The Bug: Trusted Reconstruction of Untrusted Data

CVE-2026-45659 carries a CVSS score of 8.8 and is a classic .NET deserialization flaw. SharePoint accepts serialized objects from a request and reconstructs them without adequately validating what it is rebuilding. An attacker who sends a specially crafted serialized payload gets SharePoint to reconstruct — and execute — attacker-controlled code inside the SharePoint worker process, w3wp.exe, running under the application pool’s service identity.

The catch, and the reason Microsoft initially soft-pedaled the bug: exploitation requires authentication. But the bar is low. An attacker needs only Site Member permissions — the baseline access level handed out to virtually every user of a SharePoint site — with no elevated privileges. In any real enterprise, that means one phished employee, one credential from an infostealer log, or one purchase from an initial access broker puts an attacker past the “authenticated” requirement. Researchers assess the attack requires no prior knowledge of the target system and achieves repeatable success against vulnerable components.

From w3wp.exe, the follow-on playbook is well-rehearsed: drop a web shell, steal the ASP.NET machine keys, mint forged ViewState payloads that survive patching, and pivot into Active Directory.

”Less Likely to Be Exploited”

The timeline is an uncomfortable one for defenders who rely on vendor severity triage:

  • May 2026 — Microsoft patches CVE-2026-45659 in its monthly security updates, rating it “Exploitation Less Likely” under its own exploitability index.
  • June 2026 — Exploitation begins in the wild against unpatched SharePoint servers.
  • July 1, 2026 — CISA adds the flaw to the KEV catalog, citing active exploitation, and sets a three-day remediation deadline.

Six weeks separated “less likely to be exploited” from a federal emergency directive-grade deadline. Organizations that deprioritized the May patch because of that label — a rational-seeming triage decision at the time — spent June exposed. It’s a recurring failure mode: exploitability predictions age badly the moment a deserialization gadget chain goes public, and SharePoint gadget research has been a cottage industry since ToolShell.

The Warlock Connection

Reports tying exploitation to Warlock ransomware and Storm-2603 should get particular attention, because this exact combination has history. In July 2025, the ToolShell zero-day chain (CVE-2025-53770/53771) was exploited by Chinese state-aligned groups — Linen Typhoon, Violet Typhoon, and Storm-2603 — against hundreds of organizations, and Storm-2603 used that access to deploy Warlock ransomware inside government agencies, universities, and critical infrastructure operators. We covered that crisis in depth in ToolShell Unleashed and in our post-mortem of the MAPP leak investigation that followed.

The pattern repeating in 2026 is not a coincidence; it’s a business model. On-premises SharePoint concentrates exactly what extortion crews want — file shares, legal documents, HR records, engineering data — behind a product line Microsoft has publicly deprioritized in favor of SharePoint Online. The servers still running on-prem in 2026 are disproportionately the ones that can’t easily migrate: government, defense-adjacent contractors, healthcare, and heavily regulated industries. That’s a target-rich population with a shrinking maintenance culture.

Who Is Exposed

CVE-2026-45659 affects supported on-premises SharePoint Server builds (SharePoint Online in Microsoft 365 is not affected). The at-risk population is any organization that:

  • Runs SharePoint Server reachable from the internet or from a flat internal network;
  • Did not apply the May 2026 cumulative updates;
  • Grants Site Member access broadly — which is nearly everyone.

The authentication requirement means internet-wide mass exploitation is slower than a pre-auth bug, but it does almost nothing to stop targeted intrusion. Ransomware affiliates already sit on enormous pools of valid enterprise credentials from infostealer markets and prior breaches.

What to Do Now

  • Patch immediately. Apply the May 2026 (or later) SharePoint Server security updates. If federal deadlines are three days, private-sector deadlines shouldn’t be three months.
  • Rotate machine keys after patching. Post-ToolShell playbooks apply here: if there is any chance of prior compromise, rotate the ASP.NET ValidationKey/DecryptionKey and restart IIS, or forged ViewState persistence survives the patch.
  • Hunt, don’t just patch. Review IIS logs for anomalous POST requests to SharePoint endpoints, unexpected child processes of w3wp.exe (cmd.exe, powershell.exe), and newly created .aspx files in LAYOUTS directories.
  • Audit Site Member sprawl. The exploit’s only prerequisite is the permission level most organizations hand out by default. Least privilege on SharePoint sites is now an exploit-surface reduction, not a governance nicety.
  • Reconsider the on-prem footprint. If a SharePoint server exists because nobody owned the migration, it is accumulating risk faster than value.

The Bigger Lesson

SharePoint has now produced back-to-back summer ransomware crises — ToolShell in 2025, CVE-2026-45659 in 2026 — and both followed the same arc: a patch exists, triage labels dampen urgency, exploitation industrializes, and CISA is left compressing remediation windows to days. The KEV catalog is doing its job. The question for defenders is whether “Exploitation Less Likely” should ever again be allowed to downgrade a deserialization RCE in a crown-jewel collaboration platform. On the evidence of two consecutive years: no.

Sources