Back to blog
SharePoint CVE-2026-45659: RCE Exploit, Warlock Ransomware, and How to Patch
July 3, 2026·EOLCanary Team

SharePoint CVE-2026-45659: RCE Exploit, Warlock Ransomware, and How to Patch

Microsoft SharePoint Server has a remote code execution vulnerability under active exploitation by ransomware operators. CVE-2026-45659 requires only an authenticated account with Site Member permissions — the lowest meaningful privilege level in SharePoint — to execute arbitrary code on the server. If your organization runs on-premises SharePoint and has not applied the May 2026 security update, treat this as an emergency.

What CVE-2026-45659 is

CVE-2026-45659 (CVSS 8.8) is a deserialization of untrusted data vulnerability in Microsoft SharePoint Server. By sending a specially crafted request, an authenticated attacker causes the server to deserialize malicious data and execute arbitrary code in the context of the SharePoint application pool. The authentication requirement slightly reduces the theoretical CVSS score — but in practice, SharePoint deployments routinely have hundreds or thousands of authenticated users including contractors, partners, and service accounts. The effective barrier to exploitation in a typical enterprise environment is low. Affected versions: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. SharePoint Online is not affected.

The Storm-2603 exploitation campaign

Active exploitation has been attributed to Storm-2603, the group behind Warlock ransomware. The attack begins with initial access via CVE-2025-11371 (CVSS 9.1), a critical path traversal vulnerability in Gladinet Triofox. Attackers probe for this vulnerability using requests for files like win.ini and web.config, indicating systematic scanning for local file inclusion before pivoting to the SharePoint RCE.

Once inside, Storm-2603 deploys a sophisticated post-exploitation toolkit: Velociraptor (a legitimate incident response tool repurposed for malicious reconnaissance), Cloudflare tunneling for command-and-control traffic that blends with legitimate CDN activity, Zoho Assist for persistent remote access, and SSH connections configured through Visual Studio Code. The group also escalates privileges by creating new local and domain administrator accounts and exploits a vulnerable driver (NSecKrnl.sys) for further privilege escalation.

Why the attack chain is particularly dangerous

The use of legitimate administrative tools for post-exploitation activity is a deliberate evasion strategy. Traditional endpoint detection tools that flag known malware signatures will miss much of this activity because Velociraptor, Cloudflare tunnels, Zoho Assist, and VS Code are trusted and commonly used by legitimate administrators. Detection requires behavioral analysis and anomaly detection rather than signature matching. Additionally, the creation of new domain administrator accounts means that patching the vulnerability does not remediate an existing compromise — attacker-controlled accounts survive the patch.

How to patch CVE-2026-45659

Microsoft released patches in May 2026 via Windows Update, Microsoft Update Catalog, and the Microsoft Download Center. Apply the May 2026 Cumulative Update for SharePoint Server Subscription Edition, or the May 2026 security update for SharePoint Server 2019 and SharePoint Enterprise Server 2016. Verify patch installation by checking your SharePoint farm build version against Microsoft's published May 2026 build numbers.

How to detect if you have already been compromised

Review SharePoint ULS logs for unusual deserialization activity. Check for new local or domain administrator accounts created in the past 30-60 days that cannot be attributed to legitimate IT operations. Scan Active Directory for accounts with names outside your naming conventions. Search the SharePoint filesystem for recently created files in unexpected locations. Check for the presence of Velociraptor, Zoho Assist, or unusual SSH configurations via Visual Studio Code on SharePoint servers. If any indicators of compromise are found, patching alone is insufficient — initiate a full incident response engagement.

Longer-term: the case for SharePoint Online

CVE-2026-45659 is not the first critical on-premises SharePoint RCE and will not be the last. Organizations with the flexibility to migrate to SharePoint Online eliminate this category of risk entirely — the vulnerability does not affect the cloud service. For organizations that must maintain on-premises SharePoint, a formal patch cadence applying security updates within 30 days of release is the minimum viable posture. The May 2026 update was available for 6 weeks before CISA added this CVE to the KEV catalog — organizations that applied it promptly were not exposed.

Track Microsoft SharePoint CVEs and support status on EOLCanary.

© 2026 EOLCanary — Data from endoflife.date & NVD
Explore