TL;DR: On July 1, 2026, CISA added Microsoft SharePoint Server CVE-2026-45659 to the Known Exploited Vulnerabilities catalog after confirmed in-the-wild exploitation. The flaw (CVSS 8.8) is a deserialization-of-untrusted-data remote code execution bug affecting SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft shipped patches in May 2026 Patch Tuesday, but any authenticated user with Site Member privileges can trigger RCE. Federal Civilian Executive Branch agencies must patch by July 4, 2026. For NC SMBs still running on-prem SharePoint, this is a P0 hardening event — patch, rotate MachineKeys, enable AMSI integration, and hunt for existing web shells before the long weekend.
Key takeaway: SharePoint sits at the intersection of identity, email, and file access. A single compromised SharePoint farm gives attackers Kerberos tickets, service account credentials, and a launchpad into every connected system. Every day past the May 2026 patch window is dwell time you gave the adversary.
Is your on-prem SharePoint farm patched and hunted? Contact Preferred Data Corporation for a same-week SharePoint hardening review. BBB A+ rated. On-site within 200 miles of High Point. Call (336) 886-3282.
What Is CVE-2026-45659 and Why Did CISA Add It to KEV on July 1, 2026?
CVE-2026-45659 is a CVSS 8.8 remote code execution vulnerability in Microsoft SharePoint Server caused by unsafe deserialization of untrusted data. CISA added it to the Known Exploited Vulnerabilities catalog on July 1, 2026 after The Hacker News, SecurityWeek, and multiple threat-intelligence vendors reported active exploitation against on-prem SharePoint deployments. The FCEB remediation deadline is July 4, 2026, which effectively means "before the long weekend."
Three technical characteristics make this vulnerability especially dangerous for NC SMBs:
- Low privilege required. Any authenticated user with Site Member permissions can trigger the RCE. Attackers only need one compromised user credential (harvested via phishing, credential stuffing, or an earlier breach) to weaponize the flaw.
- Network vector. The exploit is network-based, not local — a remote attacker with valid credentials or a session token can pivot from a compromised endpoint to full SharePoint farm compromise.
- Deserialization class. This is the same class of flaw that has repeatedly given attackers post-auth code execution on SharePoint (see the ToolShell chain and the July 2025 ToolShell weaponization). Detection based on patch-level alone is insufficient — attackers can survive a patch if MachineKeys are not rotated.
Microsoft patched the flaw in May 2026 Patch Tuesday for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Deployments on older or unsupported SharePoint versions have no patch and require compensating controls or migration.
Key takeaway: Any NC SMB running on-prem SharePoint that has not applied the May 2026 patches — plus MachineKey rotation and AMSI integration — is running an unmitigated CISA-KEV vulnerability with confirmed active exploitation.
Why Are On-Prem SharePoint Farms Still a Common SMB Target in 2026?
Despite the Microsoft 365 migration wave, NC SMBs — particularly manufacturers, construction firms, and professional-services offices with document-heavy workflows — still run on-prem SharePoint farms for regulated document control, integration with legacy line-of-business apps, and long-lived internal portals. Verizon's 2026 DBIR and Sophos's 2026 State of Ransomware both flag on-prem collaboration servers (SharePoint, Exchange, on-prem File Servers) as the top external-facing attack surface for mid-market victims.
The reasons on-prem SharePoint persists in NC SMB fleets:
- Regulated document workflows. ITAR, CMMC, and HIPAA-adjacent workflows sometimes rely on on-prem SharePoint for records custody.
- Legacy line-of-business integrations. SharePoint often front-ends legacy ERP, PLM, and CAD systems.
- Bespoke sites and web parts. Custom SharePoint code and web parts do not always migrate cleanly to SharePoint Online.
- Cost of migration. Full SharePoint Online migration is a 3-9 month project for a mid-sized farm and often gets deferred.
Every one of those reasons is a business reason, not a security reason. The security reality is that on-prem SharePoint has been on the CISA KEV list six times since 2023, and each entry has been actively exploited within days of disclosure. The May 2026 patch shipped seven weeks ago; the July 4 FCEB deadline is a floor, not a ceiling.
What Should NC SMBs Do in the 72 Hours Before July 4, 2026?
The pre-holiday SharePoint hardening playbook runs Wednesday through Friday. Every step is executable inside a single maintenance window and none require new spending.
Wednesday priorities:
- Patch to the May 2026 baseline. Confirm every SharePoint front-end and application server is at the May 2026 CU/security update. Reboot after patch.
- Rotate MachineKeys. Deserialization RCEs frequently persist through the patch if MachineKeys are stolen pre-patch. Run
Update-SPMachineKey(Subscription Edition) or the equivalent rotation for 2019/2016 farms. - Rotate managed accounts and farm account credentials. Assume compromise for any farm that was internet-facing between May 2026 and today.
Thursday priorities:
- Enable AMSI integration. SharePoint Server 2016/2019 and Subscription Edition support Antimalware Scan Interface integration; enable it and confirm your EDR/AV recognizes AMSI callbacks.
- Restrict SharePoint internet exposure. Any SharePoint site that does not need external access should be firewalled off or fronted by a reverse proxy with MFA enforcement (Cloudflare Access, Entra Application Proxy, Azure AD App Proxy).
- Enforce MFA on every SharePoint-authenticating identity. Phishing-resistant MFA (FIDO2 / passkeys) for admin accounts. TOTP or push-with-number-matching at minimum for all users.
Friday priorities:
- Hunt for existing web shells. Review
\LAYOUTS\directories,_vti_bin, and every custom application page for suspicious ASPX. Look for anomalousw3wp.exechild processes (cmd, powershell, certutil, curl). - Review IIS logs. Look for POST requests to unusual
_layoutsor_vti_binpaths, especially with.aspxor.ashxextensions and short response times followed by long-running child processes. - Snapshot backups. Take a clean pre-holiday backup with immutability. Confirm restoration works before the weekend, not during an incident.
| Priority | Action | Time to Complete |
|---|---|---|
| P0 | Apply May 2026 SharePoint CU | 2-4 hours per farm |
| P0 | Rotate MachineKeys | 1 hour per farm |
| P0 | Enable AMSI on all SharePoint servers | 30 minutes per server |
| P1 | Enforce phishing-resistant MFA on admins | 4-8 hours |
| P1 | Hunt for web shells and IIS anomalies | 4-8 hours |
| P2 | Firewall off external SharePoint | Ongoing |
Explore Preferred Data's cybersecurity services
What Are the Signs Your SharePoint Farm Is Already Compromised?
Deserialization RCE compromises tend to leave a consistent forensic fingerprint. Any NC SMB running on-prem SharePoint should run this hunt before the July 4 weekend, whether or not the farm appears healthy.
High-confidence indicators of compromise:
- New
.aspxfiles under\LAYOUTS\or\_vti_bin\— Especially recently created files with obfuscated names. w3wp.exespawningcmd.exe,powershell.exe,mshta.exe,wscript.exe— Web app worker processes should not launch script interpreters.- Outbound connections from SharePoint servers to unusual IPs — Especially to bulletproof-hosting ASNs, Tor, or unfamiliar cloud provider IPs.
- Anomalous scheduled tasks or WMI event subscriptions on SharePoint servers.
- Unexplained new local admin accounts on any SharePoint tier.
- MachineKey enumeration in the IIS
applicationHost.configor web.config files that does not match the last known-good.
Lower-confidence but worth reviewing:
- Failed authentication spikes against SharePoint federated accounts.
- New OAuth applications registered in Entra ID with SharePoint permissions.
- Elevated Kerberos ticket-granting requests from SharePoint service accounts.
If any of these indicators are present, treat as an active incident. Contain the affected servers, preserve memory and disk artifacts, engage counsel and insurance, and escalate to a 24/7 incident response provider immediately.
If you find IoCs on your farm, call Preferred Data at (336) 886-3282 for expedited incident response.
How Does This CVE Connect to the Broader 2026 Threat Pattern?
CVE-2026-45659 fits a consistent 2026 pattern of authenticated-only-but-widely-abused vulnerabilities. The May 2026 SharePoint fix landed in the same window as the record-breaking June 2026 Patch Tuesday (206 CVEs, 39 Critical) and the Kemp LoadMaster CVE-2026-8037 (CVSS 9.8, pre-auth root RCE). Attackers are increasingly chaining a low-friction credential compromise (device-code phishing, MFA bombing, or a token replay) with an "authenticated-only" RCE like CVE-2026-45659 to convert a stolen password into full domain compromise.
Three connected 2026 trends every NC SMB should track:
- CISA KEV additions are accelerating. The catalog surpassed 1,313 entries by June 2026, with multiple additions per week. BOD 22-01 patch deadlines are the floor, not the ceiling.
- Authenticated-only RCEs are the new normal. Attackers assume they will have a valid credential. Design for post-credential-compromise resilience.
- Deserialization flaws persist through patching without secret rotation. MachineKey, JWT signing key, and cookie signing key rotation are as important as the patch itself.
For NC manufacturers, construction firms, healthcare providers, and professional-services offices in the Piedmont Triad, Charlotte, Raleigh, Greensboro, and beyond, the SharePoint hardening plan is not a one-time patch. It is a quarterly cadence of patch, rotate, hunt, and review.
Learn about Preferred Data's managed IT services
Should NC SMBs Retire On-Prem SharePoint Entirely?
For most NC SMBs, migrating to SharePoint Online (Microsoft 365) is the correct long-term posture. Microsoft-managed patching, built-in AMSI integration, per-tenant threat intelligence, and continuous authentication controls eliminate the entire class of "authenticated-only RCE" risk that on-prem SharePoint carries.
When on-prem SharePoint retirement is the right answer:
- Farm size under 500 users with document libraries that fit under the Microsoft 365 per-user storage limits.
- No custom farm-solutions or full-trust code that requires the on-prem web-part model.
- No line-of-business integrations that require on-prem SharePoint APIs.
- Regulated workflows compatible with Microsoft 365 sovereignty controls (Government Community Cloud, sensitivity labels, Purview).
When on-prem SharePoint should stay for now:
- ITAR / CUI workflows requiring US-sovereign, air-gapped, or GCC-High workloads that are not yet fully migrated.
- Deep line-of-business integration (ERP, PLM, CAD) that only speaks to on-prem SharePoint APIs.
- Multi-year migration underway — the migration is happening, just not this quarter.
Whichever path applies, the July 2026 hardening actions are the same: patch, rotate MachineKeys, enable AMSI, enforce MFA, hunt for web shells. A farm that is retiring in Q1 2027 still needs to survive Q3 2026.
Ready to plan your SharePoint migration or on-prem hardening? Call (336) 886-3282 or schedule a consultation.
How Does Preferred Data Deliver SharePoint Defense for NC SMBs?
Preferred Data Corporation provides on-prem SharePoint hardening, migration planning to Microsoft 365, managed detection and response for on-prem collaboration servers, and expedited incident response for NC manufacturers, construction firms, healthcare providers, professional-services offices, and financial institutions. With 37+ years of North Carolina IT expertise and an average client retention of 20+ years, our SharePoint defense process integrates with your existing patching cadence, backup strategy, and identity controls.
Our CVE-2026-45659 emergency response package includes patch verification across every SharePoint tier, MachineKey and managed-account rotation, AMSI integration validation, web-shell and IIS-log hunting, MFA enforcement on privileged accounts, and 24/7 monitored SOC coverage through the July 4 weekend.
For businesses within 200 miles of High Point, we deliver on-site response when the situation demands hands-on-keyboard forensics and remediation.
Review our cybersecurity checklist
Frequently Asked Questions
When did CISA add CVE-2026-45659 to the KEV catalog?
CISA added CVE-2026-45659 to the Known Exploited Vulnerabilities catalog on July 1, 2026, citing evidence of active exploitation. The FCEB remediation deadline is July 4, 2026 under BOD 22-01. Private organizations should treat the FCEB deadline as the floor.
Does patching alone remediate CVE-2026-45659?
No. Deserialization RCE compromises can persist through patching if attackers stole MachineKeys or ViewState signing material before you patched. Rotate MachineKeys, managed accounts, and any secrets referenced in web.config after applying the May 2026 CU.
What SharePoint versions are affected?
Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. SharePoint Online (Microsoft 365) is not affected — Microsoft manages patching for tenant-hosted SharePoint.
How much SharePoint privilege does an attacker need to exploit this?
Any authenticated Site Member is sufficient. This is a low bar and effectively means "anyone with valid credentials in the SharePoint identity boundary." Attackers typically pair this with a device-code phishing or credential-stuffing campaign.
What is the difference between CVE-2026-45659 and the 2025 ToolShell chain?
The 2025 ToolShell chain (CVE-2025-53770 and related) was a pre-authentication RCE actively exploited against SharePoint globally. CVE-2026-45659 is an authenticated-only RCE — lower initial-access difficulty but functionally equivalent post-credential-compromise. Both classes require MachineKey rotation, not just patching.
Can Preferred Data patch our SharePoint farm this week?
Yes. Our SharePoint hardening engagement is a 24-48 hour turnaround for a typical mid-sized farm. Call (336) 886-3282 to start the engagement.
Is Microsoft 365 SharePoint Online affected?
No. Microsoft manages SharePoint Online patching at the tenant level. However, if your users can authenticate to both an on-prem farm and SharePoint Online with the same identity, an on-prem compromise can pivot into cloud SharePoint through credential theft or federated trust abuse.