Microsoft patched CVE-2026-45659 in its May updates for on-premises SharePoint Server and, at the time, assessed the flaw as “Exploitation Less Likely.” Just over six weeks later, on July 1, CISA added it to the Known Exploited Vulnerabilities catalogue and gave US federal agencies a three-day deadline to patch, after confirming active exploitation in the wild.
A low bar to clear
CVE-2026-45659 is a deserialization of untrusted data vulnerability affecting SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, carrying a CVSS score of 8.8. What makes it dangerous in practice is the privilege level required: an attacker only needs an authenticated account with Site Member permissions, not administrative access, to achieve remote code execution on the server. Any organisation where a single low-privilege SharePoint account can be phished, credential-stuffed, or otherwise compromised has a viable path to full server compromise.
The actor behind it has done this before
CISA and multiple security researchers have attributed active exploitation to Storm-2603, the same threat actor behind 2025’s ToolShell campaign, which also targeted on-premises SharePoint servers and culminated in Warlock ransomware deployments across affected organisations. The repeat targeting is not a coincidence. On-premises SharePoint remains attractive to this actor precisely because it does not benefit from the automatic, centrally managed patching that cloud-hosted SharePoint Online receives. Every on-prem deployment is a separate patching decision made by a separate IT team, on its own timeline.
The uncomfortable irony for data residency choices
A meaningful share of European organisations, particularly in the public sector and regulated industries, run SharePoint on-premises specifically to keep data under direct organisational and jurisdictional control rather than in a hyperscaler’s cloud. That sovereignty rationale is legitimate, but it comes with a maintenance burden that this incident makes explicit: on-prem SharePoint’s security now depends entirely on how quickly your own team applies patches and how well you monitor for exploitation, not on a vendor’s managed update cycle. Microsoft’s own exploitability prediction underestimated this vulnerability. An internal patch management process that is any slower than Microsoft’s own assessment is not a safe assumption to build on.
What to check now
Organisations still running on-premises SharePoint should confirm the May patch is applied, review Site Member account activity for anomalous behaviour since May, and check for indicators of Warlock ransomware deployment if patching was delayed. Given the ToolShell precedent, treat any evidence of exploitation as a potential ransomware precursor, not an isolated web shell incident.
If you run on-premises SharePoint and need help confirming your patch status, auditing for signs of exploitation, or reassessing whether an on-premises deployment still makes sense against its patching overhead, contact Excello Digital. We help European organisations keep on-prem infrastructure patched against the threats that specifically target it.
