Cyber Centre Daily Advisory Digest — 2026-07-02 (1 advisories)
A critical deserialization vulnerability (CVE-2026-45659) in Microsoft SharePoint Server is being actively exploited, enabling remote code execution by low-privileged attackers. The flaw affects SharePoint Enterprise Server 2016, Server 2019, and Subscription Edition, with fixed versions available. CISA added this CVE to its KEV catalog on July 1, 2026, and the Canadian Cyber Centre urges immediate patching, especially for internet-exposed on-premises deployments.
Detection / Hunteropenrouter
What Happened
A serious security flaw has been found in Microsoft SharePoint Server that could allow an attacker with limited access to take full control of the server by running malicious code. The vulnerability, known as CVE-2026-45659, is already being exploited by attackers in the real world and was added to a U.S. government list of known exploited vulnerabilities on July 1, 2026. Organizations using on-premises SharePoint Server — especially versions exposed to the public internet — are at risk. Administrators should immediately identify all affected SharePoint installations and apply the security updates provided by Microsoft, or migrate to a supported version if their current one is reaching end of life on July 14, 2026.
Key Takeaways
- CVE-2026-45659 is a critical deserialization of untrusted data vulnerability (CWE-502) in Microsoft SharePoint Server allowing remote code execution by a low-privileged attacker.
- The vulnerability is being actively exploited in the wild and was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on July 1, 2026.
- Affected products include SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition with specific version thresholds.
- SharePoint Enterprise Server 2016 and Server 2019 reach end of life on July 14, 2026, making migration urgent.
- Organizations should prioritize patching internet-exposed on-premises SharePoint instances immediately.
Affected Systems
- Microsoft SharePoint Enterprise Server 2016 (versions before 16.0.5552.1002)
- Microsoft SharePoint Server 2019 (versions before 16.0.10417.20128)
- Microsoft SharePoint Server Subscription Edition (versions before 16.0.19725.20280)
Vulnerabilities (CVEs)
| CVE | Product | Severity | Description |
|---|---|---|---|
| CVE-2026-45659 | Microsoft SharePoint Server (Enterprise Server 2016, Server 2019, Subscription Edition) | Critical | Deserialization of untrusted data vulnerability that allows a low-privileged remote attacker to achieve remote code execution on affected SharePoint Server instances. |
Attack Chain
- Reconnaissance: Attacker identifies internet-exposed Microsoft SharePoint Server instances running vulnerable versions
- Initial Access: Low-privileged remote attacker leverages CVE-2026-45659 deserialization flaw to send crafted untrusted data
- Execution: Deserialization of the malicious payload triggers remote code execution on the SharePoint server
- Persistence/Impact: Attacker establishes foothold on compromised server for further operations
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No detection rules or queries are provided in this advisory. The article recommends patching and hardening but does not include specific detection logic.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | EDR may detect post-exploitation behavior such as unexpected child processes spawned by SharePoint worker processes (w3wp.exe), but the initial deserialization exploit itself may not generate clear EDR telemetry. |
| Network Visibility | Low | The exploit occurs via standard HTTP/HTTPS traffic to SharePoint, making it difficult to distinguish from legitimate requests without application-layer inspection or WAF rules tailored to deserialization payloads. |
| Detection Difficulty | Hard | Deserialization attacks over HTTP are challenging to detect without specialized WAF rules or application-level instrumentation. Post-exploitation detection depends on EDR catching anomalous process behavior from SharePoint application pools. |
Required Log Sources
- SharePoint Unified Logging Service (ULS) logs
- IIS W3SVC logs
- Windows Event Logs (Security and Application)
- EDR process telemetry
- WAF or reverse proxy logs for internet-exposed SharePoint
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for unexpected child processes spawned by SharePoint application pool worker processes (e.g., w3wp.exe spawning cmd.exe, powershell.exe, or other shells), which would indicate successful exploitation of the deserialization vulnerability. | EDR process creation and parent-child relationship telemetry | Execution | Low — legitimate SharePoint worker processes rarely spawn interactive shells or scripting interpreters. |
| If you have visibility into IIS or WAF logs, consider hunting for unusually large or malformed HTTP POST requests targeting SharePoint endpoints, which may indicate deserialization payload delivery. | IIS W3SVC logs, WAF logs, reverse proxy logs | Initial Access | Medium — large POST requests can occur during legitimate file uploads or SharePoint operations. |
| Consider hunting for new or modified web shells or suspicious ASPX files dropped into SharePoint directories, which may indicate post-exploitation persistence following successful RCE. | File system monitoring on SharePoint web directories, EDR file creation events | Persistence | Low to Medium — SharePoint does create ASPX files during normal operations, but unexpected files in system directories are suspicious. |
Control Gaps
- Standard network IDS/IPS signatures may not detect deserialization payloads embedded in legitimate-looking HTTP traffic to SharePoint.
- WAF rules without specific deserialization protections for SharePoint would likely not block this exploit.
- Organizations with unpatched, internet-exposed SharePoint servers have no compensating control if the vulnerability is exploited before detection.
Key Behavioral Indicators
- w3wp.exe (SharePoint application pool) spawning unexpected child processes such as cmd.exe, powershell.exe, or certutil.exe
- Anomalous HTTP requests with large serialized payloads targeting SharePoint web endpoints
- Unexpected ASPX or ASP files appearing in SharePoint web directories post-exploitation
- SharePoint service account exhibiting unusual behavior such as outbound network connections or credential access attempts
False Positive Assessment
- Low — post-exploitation indicators such as SharePoint worker processes spawning shells are highly suspicious and unlikely to occur during normal operations.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Identify all on-premises Microsoft SharePoint Server instances, especially those exposed to the internet, and inventory their current versions.
- If affected versions are identified, consider applying the relevant Microsoft security updates immediately to bring SharePoint to the fixed versions (16.0.5552.1002 for Enterprise Server 2016, 16.0.10417.20128 for Server 2019, 16.0.19725.20280 for Subscription Edition).
- If patching cannot be performed immediately, consider temporarily restricting external access to internet-facing SharePoint servers until updates are applied.
- If you suspect compromise, consider investigating for signs of exploitation such as unexpected child processes from w3wp.exe or anomalous ASPX files in SharePoint directories.
Infrastructure Hardening
- Evaluate whether internet-exposed SharePoint servers can be placed behind a VPN, reverse proxy, or network segmentation to reduce attack surface.
- Consider implementing WAF rules tailored to detect and block deserialization attacks against SharePoint endpoints, if supported by your WAF vendor.
- Plan migration from SharePoint Enterprise Server 2016 and Server 2019 to a supported version before their end of life on July 14, 2026.
- Review and implement the Cyber Centre's Top 10 IT Security Actions, with emphasis on patching, hardening, and isolating web-facing applications.
User Protection
- Ensure endpoint protection is active on all SharePoint server hosts to detect post-exploitation activity.
- Consider enabling enhanced logging on SharePoint servers (ULS logs, IIS logs) to support detection and investigation.
Security Awareness
- Inform IT staff about the critical nature of CVE-2026-45659 and the urgency of patching on-premises SharePoint deployments.
- Consider incorporating awareness of deserialization vulnerabilities into developer and administrator training programs where applicable.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1059 - Command and Scripting Interpreter