SharePoint KEV: July 2026 Patch Playbook for Dallas

CISA added SharePoint Server RCE CVE-2026-45659 to its Known Exploited Vulnerabilities catalog on July 1, 2026, with a July 4 federal patch deadline — despite Microsoft's original 'exploitation less likely' rating. This playbook walks Dallas businesses through the full on-premises remediation sequence: inventory, patch, ASP.NET machine-key rotation, IIS restart, and post-compromise verification.

Back to Blog
11 min read
Conceptual isometric illustration of an on-premises SharePoint server farm being hardened under an urgent security patch alert

On July 1, 2026, the Cybersecurity and Infrastructure Security Agency did something that should reframe how every Dallas business treats its on-premises SharePoint servers: it added CVE-2026-45659 to the Known Exploited Vulnerabilities catalog and gave federal agencies until July 4 — three days — to patch it. What makes that timeline remarkable is that Microsoft had originally rated the flaw "Exploitation Less Likely" when it shipped the fix back in May [The Hacker News]. The attackers disagreed. Within weeks, a bug the industry had filed under "we'll get to it" was being used in the wild, and the federal government treated it as an emergency.

If your organization runs SharePoint Server on-premises — Subscription Edition, 2019, or 2016 — this is your playbook. It covers exactly what the vulnerability is, why the KEV listing compresses your timeline whether or not you answer to a federal deadline, and the step-by-step remediation sequence that actually closes the door: not just the patch, but the machine-key rotation and post-compromise verification that a "less likely" bug now demands.

⚠ Active Exploitation Advisory

CVE-2026-45659 is confirmed under active exploitation and listed in the CISA KEV catalog as of July 1, 2026. Any authenticated user with only Site Member permissions can achieve remote code execution. On-premises SharePoint Server Subscription Edition, 2019, and 2016 are affected. Apply Microsoft's May 2026 security update immediately and complete the full remediation sequence below.

✓ Key Takeaways

  • CVE-2026-45659 is a deserialization RCE (CVSS 8.8) in on-premises SharePoint Server, patched by Microsoft in May 2026 and added to CISA's KEV catalog on July 1, 2026 [The Hacker News].
  • Low bar to exploit. An authenticated attacker needs only Site Member permissions — no admin rights — to run code on the server [The Hacker News].
  • "Less likely" was wrong. Microsoft's initial exploitability rating was overtaken by real-world attacks, a reminder that vendor severity scores are a starting point, not a schedule [The Register].
  • Patching alone is not remediation. A complete response rotates ASP.NET machine keys, restarts IIS, enables AMSI, and checks for prior compromise — the same hard lessons from the 2025 "ToolShell" campaign [Microsoft MSRC].
  • On-prem SharePoint is a repeat target. This is the second KEV-listed SharePoint RCE in twelve months; if you can't sustain a rapid patch cadence, managed patch operations or a move to SharePoint Online is the strategic fix.

What CVE-2026-45659 Is — and Why KEV Changes Your Timeline

CVE-2026-45659 is a remote code execution vulnerability caused by the deserialization of untrusted data. In plain terms: SharePoint can be tricked into taking attacker-supplied data and reconstructing it into live, executing code on the server. Microsoft addressed it in the May 2026 security updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 [The Hacker News]. The flaw does not touch SharePoint Online — this is strictly an on-premises problem, which is precisely why it disproportionately affects organizations still running their own SharePoint farms.

Definition

CISA Known Exploited Vulnerabilities (KEV) Catalog

An authoritative, evidence-based list of security flaws CISA has confirmed are being actively exploited in the wild. Under Binding Operational Directive 22-01, federal civilian agencies must remediate KEV entries by a set deadline. For private businesses the catalog is not legally binding — but it is the single best public signal that a vulnerability has moved from theoretical to "attackers are using this right now."

The KEV listing is the part that should reset your calendar. A CVSS score of 8.8 is serious but common; hundreds of such bugs are disclosed every year, and no team can patch all of them the day they land. What the KEV catalog tells you is that this specific vulnerability is being exploited today. The federal July 4 deadline does not apply to a private Dallas company — but the threat actors behind the exploitation do not check whether you are a government agency before they scan your perimeter. The moment a flaw is on KEV, its risk profile is no longer "someday"; it is "already."

CVE CVE-2026-45659
Type Deserialization → Remote Code Execution
CVSS 8.8 (High)
Privilege required Authenticated, Site Member (PR:L)
Affected SharePoint SE, 2019, 2016 (on-prem)
Patched May 2026 security updates
KEV added / Fed deadline July 1, 2026 / July 4, 2026

The SharePoint On-Prem Pattern: This Keeps Happening

CVE-2026-45659 is not an isolated event. It is the latest entry in a pattern that on-premises SharePoint operators have been living through for the better part of a year, and understanding that pattern is what turns a one-time patch into a durable defensive posture.

Isometric illustration of a deserialization payload cracking through a shield into an on-premises SharePoint server rack

Deserialization flaws let attacker-supplied data become executing code — turning a document server into an execution surface.

In July 2025, a cluster of SharePoint flaws collectively branded "ToolShell" (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771) enabled unauthenticated remote code execution against on-premises servers. That campaign was severe: CVE-2025-53770 carried a CVSS of 9.8, exploitation was widespread within days of proof-of-concept release, and Microsoft attributed activity to Chinese state-linked groups Linen Typhoon and Violet Typhoon for espionage, alongside a financially motivated actor, Storm-2603, that deployed Warlock and LockBit ransomware through the same opening [Microsoft]. The tell-tale artifact — a malicious spinstall0.aspx file dropped to harvest cryptographic secrets — became a household name for incident responders that summer.

The through-line from ToolShell to CVE-2026-45659 is unambiguous: on-premises SharePoint is a high-value, internet-adjacent, complex application that attackers return to again and again. Every farm is a rich target — it holds documents, integrates with identity, and often sits reachable from the corporate perimeter. If your remediation strategy is to react to each new CVE individually, you are perpetually one disclosure behind a motivated adversary. The businesses that came through 2025 and 2026 unscathed are the ones that treated SharePoint patching as a standing operational discipline, not a series of fire drills.

The Patch Playbook: Seven Steps to Close the Door

Applying the update is necessary but, on its own, insufficient — a hard lesson from ToolShell, where attackers who had already stolen a server's ASP.NET machine keys could forge access even after the patch was installed. A complete remediation follows the sequence Microsoft laid out in its on-premises guidance [Microsoft MSRC]. Work through these steps in order for every SharePoint server you operate.

1

Inventory every on-prem SharePoint instance

You cannot patch what you have not found. Identify each server, confirm whether it is Subscription Edition, 2019, or 2016, and record the current build number. Shadow or forgotten farms are where exposure hides.

2

Enable AMSI in Full Mode and deploy antivirus

Turn on the Antimalware Scan Interface integration in Full Mode and ensure Microsoft Defender Antivirus (or equivalent) runs on every SharePoint server. AMSI in Full Mode provides the most comprehensive request-body inspection and blunts many exploitation attempts.

3

Apply the May 2026 security update

Install the official Microsoft update that raises your build above the fixed level. Verify the post-update build number against Microsoft's published fixed build — do not assume the installer succeeded.

4

Rotate ASP.NET machine keys

Rotate the SharePoint ASP.NET machine keys. This invalidates any cryptographic secrets an attacker may already have stolen — the step that prevents forged, post-patch access.

5

Restart IIS

Run iisreset.exe so the rotated keys take effect. Key rotation without an IIS restart leaves the old secrets live in memory — the rotation is not complete until IIS has cycled.

6

Deploy endpoint detection and response

Ensure Microsoft Defender for Endpoint or an equivalent EDR is watching each SharePoint server so any post-exploitation behavior is caught, logged, and alertable rather than silent.

7

Verify no prior compromise

Because this bug was exploited before it was on your radar, close the loop by hunting for signs of earlier intrusion — covered in the next section. A patch ticket without evidence of a clean environment is an incomplete response.

The AMSI-and-key-rotation nuance trips up teams that treat this as a routine Patch Tuesday. Microsoft's guidance is explicit: if you cannot enable AMSI, key rotation and an IIS restart after installing the update are mandatory, not optional. The order matters, too — installing the patch without rotating keys leaves any previously stolen secrets valid.

PowerShell — rotate SharePoint machine keys, then cycle IIS

# Run in the SharePoint Management Shell on a farm server
# 1. Rotate the farm's ASP.NET machine keys
Set-SPMachineKey -WebApplication https://your-sharepoint-url
Update-SPMachineKey -WebApplication https://your-sharepoint-url

# 2. Propagate the change across the farm timer service
Start-SPTimerJob job-spmachinekeymanager

# 3. Cycle IIS so the rotated keys load into worker processes
iisreset.exe /noforce

# 4. Confirm the build is at or above the fixed May 2026 level
(Get-SPFarm).BuildVersion

Managing this sequence across a multi-server farm, during a maintenance window, without breaking authentication for users, is where a disciplined managed IT services practice earns its value. The commands are simple in isolation; the risk is in the choreography.

On-premises server rack with a maintenance laptop running an update, representing a controlled SharePoint patch window

A controlled patch window — inventory, update, rotate keys, restart IIS, verify — beats an ad-hoc scramble under an active-exploitation clock.

Assume Breach: Post-Compromise Verification

The single most important mindset shift for a KEV-listed vulnerability is this: by the time you are patching, you have to consider that you may already be too late. Because CVE-2026-45659 was exploited while it was still rated "less likely," any unpatched, internet-reachable SharePoint server should be treated as potentially compromised until proven otherwise. Patching stops future exploitation; it does nothing about access an attacker established last week.

What to hunt for:

Unexpected .aspx files in SharePoint layouts directories (the ToolShell campaign dropped spinstall0.aspx), anomalous w3wp.exe child processes, newly created or modified scheduled tasks, unexpected service accounts, outbound connections from the SharePoint server to unfamiliar infrastructure, and any evidence of machine-key theft. Review IIS and SharePoint ULS logs across the full window the server was exposed, not just the last 24 hours.

If your hunt surfaces anything ambiguous, escalate to formal incident response rather than trying to clean it in place — forging access from stolen keys means a superficially "patched" server can still be under an attacker's control. ITECS maintains an emergency breach response capability for exactly this scenario, and pairs it with continuous endpoint detection and response so post-exploitation behavior is caught in real time instead of discovered months later. For organizations that want to know their exposure before an attacker finds it, penetration testing services can confirm whether an internet-facing SharePoint farm is reachable and exploitable from the outside.

What Dallas Businesses Should Do This Week

The uncomfortable truth behind CVE-2026-45659 is that the technical fix has been available since May — the gap is operational. Plenty of North Texas organizations run on-premises SharePoint for document management, intranets, and line-of-business applications, and many do not have a patch-management cadence fast enough to act inside the window between a KEV listing and mass exploitation. That gap, not the vulnerability itself, is what turns a routine update into a breach.

A pragmatic sequence for a Dallas business this week: confirm whether you run SharePoint on-premises at all; if you do, execute the seven-step playbook above on every instance; if you cannot patch immediately, restrict the servers' internet exposure through managed firewall segmentation as a stopgap; and run the post-compromise hunt regardless. Longer term, the strategic question is whether you should be operating your own SharePoint farm at all — for many mid-market organizations, a migration to SharePoint Online through Microsoft 365 consulting removes this entire class of on-premises RCE exposure by shifting patch responsibility to Microsoft.

Patch, Verify, and Harden Your SharePoint This Week

A focused security assessment confirms whether your on-premises SharePoint is patched, exposed, or already compromised — and maps the fastest path to a durable fix, from managed patching to a clean migration.

Book a Security Assessment →

CVE-2026-45659 will not be the last KEV-listed SharePoint flaw — the pattern of the last twelve months guarantees another is coming. The organizations that stay ahead are not the ones with the biggest security budgets; they are the ones that can inventory, patch, rotate, restart, and verify inside a three-day window without it becoming a crisis. Build that muscle now, on this CVE, and the next one becomes a routine Tuesday instead of an emergency.

Sources

continue reading

More ITECS blog articles

Browse all articles

About ITECS Team

The ITECS team consists of experienced IT professionals dedicated to delivering enterprise-grade technology solutions and insights to businesses in Dallas and beyond.

View full profile and articles

Share This Article

Continue Reading

Explore more insights and technology trends from ITECS

View All Articles