FORSMILE
JA
セキュリティ2026/07/02

[URGENT] Severe RCE Vulnerability (CVE-2026-45659) Discovered in Microsoft SharePoint Server, Added to CISA KEV

A severe authenticated RCE vulnerability, 'CVE-2026-45659,' has been discovered in Microsoft SharePoint Server and added to the CISA KEV catalog. It allows code execution even by low-privileged users, necessitating immediate patch application.

Back to Blog

A severe vulnerability, 'CVE-2026-45659,' has been identified in Microsoft SharePoint Server, allowing authenticated attackers to remotely execute arbitrary code. Exploitation of this vulnerability has already been confirmed. The U.S. CISA (Cybersecurity and Infrastructure Security Agency) added it to its Known Exploited Vulnerabilities (KEV) catalog on July 1st, mandating rapid remediation for federal agencies. Given the widespread use of SharePoint Server, many organizations could be affected, requiring urgent action.

Vulnerability Overview and Scope of Impact

CVE-2026-45659 is a vulnerability in Microsoft SharePoint Server stemming from 'Deserialization of Untrusted Data.' It has a CVSSv3.1 score of 8.8 (HIGH). This vulnerability affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. An attacker can exploit this vulnerability over the network, with authentication, to execute arbitrary code.

⚠ CVE Score — 高危険度 / HIGH
8.8HIGHCVE-2026-45659

Specific Impact and Attack Scenarios

While exploiting this vulnerability requires authentication, Microsoft states that even an authenticated attacker with minimum 'site member' privileges can exploit it without additional elevated privileges. An attacker can send specially crafted data to the SharePoint Server to execute arbitrary code on the server. This could lead to the theft of confidential information, system tampering, and even serve as a foothold for wider intrusion into the organization's network. It is particularly important to recognize that, with CISA adding it to its catalog of known exploited vulnerabilities, the real-world attack risk is extremely high.

Immediate Actions for Engineers

The most crucial measure is to promptly apply the security updates provided by Microsoft. A patch for this vulnerability was released in May 2026. Organizations operating SharePoint Server are strongly recommended to apply the latest updates corresponding to their product version to keep their systems up-to-date.

Furthermore, as an additional layer of defense, consider implementing a WAF (Web Application Firewall) and configuring it to block suspicious request patterns. Below is a basic Nginx configuration example for blocking suspicious POST requests. Please note that this is a general defense measure and does not completely prevent specific vulnerabilities; therefore, always apply the patches provided by the vendor.

nginx
location / {
    # 一般的なWebshellアップロードやコマンドインジェクションパターンをブロック
    # SharePointの脆弱性対策としては限定的ですが、不正なペイロードを含む可能性のあるリクエストをフィルタリングします。
    # このルールは厳しすぎる場合があるため、環境に合わせて調整が必要です。
    if ($request_method = POST) {
        set $block_attack 0;
        # 実行可能ファイル拡張子のアップロードを試みる不審なContent-Typeをブロック
        if ($http_content_type ~* "application/(x-php|x-perl|x-python|x-ruby|x-sh)") {
            set $block_attack 1;
        }
        # 実行可能なマジックバイトを含むファイルアップロードをブロック (例: PHP)
        if ($request_body ~* "^<\?php" || $request_body ~* "eval\(|"shell_exec\(|"system\(|"passthru\(") {
            set $block_attack 1;
        }
        # 信頼できないシリアル化データとして疑わしいパターン (例: Java/PHPのオブジェクトシリアライゼーションの典型的なマジックバイトやキーワード)
        # SharePointは.NETですが、攻撃が他のシリアライゼーション技術を模倣する可能性も考慮
        if ($request_body ~* "^rO0AB" || $request_body ~* "O:[0-9]+\":" || $request_body ~* "__destruct") {
            set $block_attack 1;
        }
        # 特定のパスに対する異常なPOSTリクエストをブロック(必要に応じてSpecific Pathを追加)
        # if ($uri ~* "/(_layouts|forms)/" && $request_body ~* "<script") {
        #     set $block_attack 1;
        # }

        if ($block_attack = 1) {
            return 403;
        }
    }
    try_files $uri $uri/ =404;
}
📦
Amazon で関連書籍・ツールを検索
cybersecurity server security tools
Amazonで探す →(アソシエイトリンク)

Reference Sources and Official Patch Information

Related articles