The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a serious problem affecting Microsoft SharePoint Server to its list of known threats on Wednesday. They reported that this flaw is currently being exploited.
The weakness, called CVE-2026-45659 (CVSS score: 8.8), allows bad code to run from unsafe data. Microsoft fixed it in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
Microsoft said that anyone with the right login could use the weakness, and it does not need admin or higher-level permissions. In a network attack, a user with basic Site Member permissions could use it to run code from afar on the SharePoint Server.
“Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability which allows an authorized attacker to execute code over a network,” CISA said.
According to the Windows maker’s advisory, the flaw has been tagged with an “Exploitation Less Likely” assessment. It’s currently not known how the vulnerability is being exploited, who is behind the activity, and what the end goals of these efforts are.
FCEB agencies should fix the problems by July 4, 2026, because of ongoing exploitation.
One group of attacks has been linked to Storm-2603, a hacker known for using Warlock ransomware often by taking advantage of flaws in on-site SharePoint servers since mid-2025.
“In this case, initial access was likely attempted through a separate vulnerability, with requests for files like win.ini and web.config, indicating probing for local file inclusion,” Microsoft said. Evidence points to it being CVE-2025-11371 (CVSS score: 9.1), a critical flaw impacting Gladinet Triofox.
Microsoft found signs of another threat actor working in the same space. This actor used DLL side-loading and special backdoors, which makes it harder to identify them.
Further digging showed that the attackers had moved from the first network to a second one, proving they were hit by the same ransomware linked to Storm-2603.
“Together, these overlapping activity streams enabled sustained access while masking the full scope of the intrusion,” the Microsoft Incident Response team said. “The blend of known ransomware tactics and hidden techniques allowed the threat actors to establish deep and lasting access.”
InfoSecBulletin Cybersecurity for mankind
