SharePoint Server CVE-2026-45659: Patch the New CISA KEV RCE

Patch Microsoft SharePoint Server CVE-2026-45659 after CISA added it to KEV; back up the farm, patch, run config, and verify health.
SharePoint Server CVE-2026-45659 CISA KEV patch guide for SharePoint Subscription Edition, 2019, and 2016

Update for July 1, 2026: CISA added CVE-2026-45659 to the Known Exploited Vulnerabilities catalog for Microsoft SharePoint Server. Microsoft published the SharePoint update in May, but the KEV addition changes the priority: exposed or business-critical SharePoint farms should move this from normal patch queue to urgent maintenance planning.

Microsoft describes CVE-2026-45659 as a SharePoint remote code execution vulnerability caused by deserialization of untrusted data. The MSRC entry lists a CVSS 3.1 base score of 8.8, low attack complexity, low privileges required, and no user interaction. In plain English: a compromised or low-privilege SharePoint account can become much more dangerous on an unpatched farm.

Who should act now

This is for organizations running on-premises SharePoint Server, especially farms exposed to partners, vendors, customers, VPN users, remote workers, or broad internal audiences. Microsoft lists the following affected products and security updates:

  • Microsoft SharePoint Server Subscription Edition: KB5002863, fixed build 16.0.19725.20280.
  • Microsoft SharePoint Server 2019: KB5002870, fixed build 16.0.10417.20128.
  • Microsoft SharePoint Enterprise Server 2016: KB5002868, fixed build 16.0.5552.1002.

Confirm the correct package for your farm in the Microsoft Security Update Guide before installing. SharePoint patching is farm-sensitive, so do not treat this like a single standalone Windows update on a random server.

Why this matters

CISA’s KEV entry says Microsoft SharePoint Server contains a deserialization flaw that allows an authorized attacker to execute code over a network. CISA added the issue on July 1, 2026, with a July 4, 2026 due date for covered federal systems. That deadline is a useful signal for private organizations too: if SharePoint is internet reachable or handles sensitive documents, patch planning should start immediately.

There is one nuance worth noting. Microsoft’s May 26 revision still marked the issue as not publicly disclosed and not exploited in its own update metadata at that time. CISA’s July 1 KEV listing is newer operational risk information. Use the newer KEV signal when deciding patch urgency.

Backup and maintenance plan

Before updating SharePoint, take a full backup path that you can actually restore from. At minimum, plan for:

  • Recent SQL backups for all content databases, the configuration database, and service application databases.
  • VM or bare-metal recovery points for each SharePoint server, coordinated with SQL backups so rollback is consistent.
  • A copy of current farm build levels, SharePoint server roles, service accounts, load balancer members, and custom solutions.
  • A maintenance window that accounts for the SharePoint Products Configuration Wizard or equivalent farm upgrade step when required.

For multi-server farms, drain one web front end from the load balancer, patch it, run the required SharePoint configuration step, verify health, then continue through the remaining web front ends and application servers in a controlled order. Keep search, workflow, and integration owners available if the farm supports business-critical document flows.

Patch routes

Use your normal Microsoft update channel where possible: Windows Update, WSUS, Intune, RMM tooling, or the Microsoft Update Catalog and Download Center links referenced from MSRC. If you install manually, match the update to the SharePoint generation and farm language requirements. Microsoft marks reboot as “Maybe” in the affected-product data, so schedule the window as if a reboot can be required.

After installation, complete the SharePoint configuration step across the farm if the update requires it. Do not stop at “the package installed” if Central Administration or server status still shows an upgrade action waiting.

Post-patch verification

After the farm is patched, verify both security state and user-facing behavior:

  • Confirm each server build is at or above the fixed build listed by Microsoft for its SharePoint version.
  • Open Central Administration and confirm all servers are healthy with no pending upgrade state.
  • Check IIS, SharePoint Timer Service, search crawl, distributed cache, workflow integrations, and authentication flows.
  • Review ULS logs, Event Viewer, antivirus alerts, web server logs, and sign-in activity for suspicious access around the patch window.
  • Test a representative document library, permissions-protected site, search result, upload, download, and business workflow.

If the farm is internet reachable, also review network exposure. Restrict Central Administration and management paths to administrative networks, keep VPN and identity controls tight, and treat CDN or WAF controls as temporary risk reduction only. The durable fix is the Microsoft SharePoint update.

Hosting and IT service provider notes

If you manage SharePoint for clients, notify affected customers with a clear maintenance window, expected impact, backup status, and rollback decision point. Confirm whether any tenant-specific customizations, document automation, or line-of-business integrations need a post-maintenance check. For co-managed environments, make sure the client understands that SharePoint account compromise is more serious while the farm is unpatched.

Fix I.T. Phill will keep watching the CISA KEV catalog and Microsoft security guidance for follow-up changes. If Microsoft updates the advisory or publishes new operational guidance, this post should be updated rather than duplicated.

Official sources

Picture of admin

admin

Leave a Reply

Sign up for our Newsletter

Get the latest information on what is going on in the I.T. World.