Site icon Fix I.T. Phill – Your Go-To Tech Guru

SharePoint Server CVE-2026-45659: Patch the New CISA KEV RCE

SharePoint Server CVE-2026-45659 CISA KEV patch guide for SharePoint Subscription Edition, 2019, and 2016

SharePoint Server CVE-2026-45659 CISA KEV patch guide for SharePoint Subscription Edition, 2019, and 2016

Update for July 1, 2026: CISA added CVE-2026-45659 to the Known Exploited Vulnerabilities catalog for Microsoft SharePoint Server. Microsoft published the SharePoint update in May, but the KEV addition changes the priority: exposed or business-critical SharePoint farms should move this from normal patch queue to urgent maintenance planning.

Microsoft describes CVE-2026-45659 as a SharePoint remote code execution vulnerability caused by deserialization of untrusted data. The MSRC entry lists a CVSS 3.1 base score of 8.8, low attack complexity, low privileges required, and no user interaction. In plain English: a compromised or low-privilege SharePoint account can become much more dangerous on an unpatched farm.

Who should act now

This is for organizations running on-premises SharePoint Server, especially farms exposed to partners, vendors, customers, VPN users, remote workers, or broad internal audiences. Microsoft lists the following affected products and security updates:

Confirm the correct package for your farm in the Microsoft Security Update Guide before installing. SharePoint patching is farm-sensitive, so do not treat this like a single standalone Windows update on a random server.

Why this matters

CISA’s KEV entry says Microsoft SharePoint Server contains a deserialization flaw that allows an authorized attacker to execute code over a network. CISA added the issue on July 1, 2026, with a July 4, 2026 due date for covered federal systems. That deadline is a useful signal for private organizations too: if SharePoint is internet reachable or handles sensitive documents, patch planning should start immediately.

There is one nuance worth noting. Microsoft’s May 26 revision still marked the issue as not publicly disclosed and not exploited in its own update metadata at that time. CISA’s July 1 KEV listing is newer operational risk information. Use the newer KEV signal when deciding patch urgency.

Backup and maintenance plan

Before updating SharePoint, take a full backup path that you can actually restore from. At minimum, plan for:

For multi-server farms, drain one web front end from the load balancer, patch it, run the required SharePoint configuration step, verify health, then continue through the remaining web front ends and application servers in a controlled order. Keep search, workflow, and integration owners available if the farm supports business-critical document flows.

Patch routes

Use your normal Microsoft update channel where possible: Windows Update, WSUS, Intune, RMM tooling, or the Microsoft Update Catalog and Download Center links referenced from MSRC. If you install manually, match the update to the SharePoint generation and farm language requirements. Microsoft marks reboot as “Maybe” in the affected-product data, so schedule the window as if a reboot can be required.

After installation, complete the SharePoint configuration step across the farm if the update requires it. Do not stop at “the package installed” if Central Administration or server status still shows an upgrade action waiting.

Post-patch verification

After the farm is patched, verify both security state and user-facing behavior:

If the farm is internet reachable, also review network exposure. Restrict Central Administration and management paths to administrative networks, keep VPN and identity controls tight, and treat CDN or WAF controls as temporary risk reduction only. The durable fix is the Microsoft SharePoint update.

Hosting and IT service provider notes

If you manage SharePoint for clients, notify affected customers with a clear maintenance window, expected impact, backup status, and rollback decision point. Confirm whether any tenant-specific customizations, document automation, or line-of-business integrations need a post-maintenance check. For co-managed environments, make sure the client understands that SharePoint account compromise is more serious while the farm is unpatched.

Fix I.T. Phill will keep watching the CISA KEV catalog and Microsoft security guidance for follow-up changes. If Microsoft updates the advisory or publishes new operational guidance, this post should be updated rather than duplicated.

Official sources

Exit mobile version