top of page

SharePoint RCE Under Active Attack: What CVE-2026-45659 Means for On-Premises Servers

  • Jul 8
  • 3 min read
SharePoint server infrastructure


CISA has confirmed that attackers are exploiting a remote code execution flaw in Microsoft SharePoint Server, and it has told United States federal agencies to patch by 4 July. The bug, CVE-2026-45659, carries a CVSS score of 8.8 and needs nothing more than a low-privileged account to work. For any Australian organisation still running SharePoint on-premises, that deadline is worth watching just as closely.


What Happened


On 1 July, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalogue after confirming the flaw was under active attack. The vulnerability comes from deserialisation of untrusted data and affects SharePoint Server Subscription Edition, SharePoint Server 2019 and SharePoint Enterprise Server 2016. Microsoft issued a fix back in May, and any authenticated user with Site Member permissions can trigger code execution over the network, with no administrative rights required. Microsoft had rated exploitation as "less likely" — an assessment that events have now overtaken.


Why It Matters


SharePoint sits at the centre of document management, intranets and collaboration for thousands of Australian businesses and government departments. A low bar for exploitation means a single compromised staff account, or one stolen set of credentials, can hand an attacker code execution on a server that often holds sensitive corporate records. The platform has a track record as a target: Microsoft has linked earlier SharePoint intrusions to Storm-2603, the group behind Warlock ransomware.


What may appear to be a single ransomware incident can quickly expand into something more complex, spanning organisations, blending tactics, and even involving multiple threat actors operating in parallel. (Microsoft Incident Response)


What Security Teams Should Do Now


  • Apply Microsoft's May 2026 SharePoint updates now if you have not already, and treat the 4 July federal deadline as your own.

  • Inventory every on-premises SharePoint instance, including forgotten test or project servers that fall outside routine patching.

  • Review SharePoint logs for unusual activity from low-privileged accounts and any sign of unexpected code execution.

  • Reset credentials and enforce multi-factor authentication to raise the cost of the authenticated access this flaw depends on.

  • Look for the persistence techniques seen in recent SharePoint cases: new local or domain admin accounts, Cloudflare tunnels, and remote access tools such as Zoho Assist.

  • Confirm your endpoint protection has not been tampered with, as attackers have used vulnerable drivers to blind security tooling.


Aurian's Take


The pattern here is familiar. A vendor patches a flaw, rates the chance of exploitation as low, and within weeks attackers prove that rating wrong. The gap between a patch being available and a patch being applied is where most of the damage happens, and internet-facing collaboration platforms sit right in that gap. Microsoft's own investigation of a recent SharePoint case found two separate attackers inside the same network at once, both using legitimate administration tools to stay hidden. On-premises infrastructure remains a rewarding target, and it is often the least watched part of the estate.


Regular penetration testing surfaces this kind of exposure before an attacker does. A security assessment that maps your external and internal attack surface will flag unpatched SharePoint servers, weak account permissions and the credential paths that turn a minor foothold into remote code execution. At Aurian, we see the same weak points again and again: forgotten servers, over-privileged accounts, and patch cycles that lag behind the threat. Testing on a schedule, rather than after an incident, keeps that window short.


CVE-2026-45659 will not be the last SharePoint flaw to move from "less likely" to actively exploited, and the organisations that fare best are the ones that already know where they are exposed.


To find out how Aurian can help your organisation assess its exposure, get in touch



Comments


Contact us to discuss your cybersecurity requirements and learn how our tailored solutions can enhance your organisation's defense against evolving cyber threats.

Connect With Us

  • LinkedIn
  • Facebook
  • X

© 2026 Aurian Security Pty Ltd.

All rights reserved.

bottom of page