Active Exploitation of SharePoint Server RCE (CVE‑2026‑45659) Triggers CISA KEV Listing
What It Is — A remote‑code‑execution flaw in Microsoft SharePoint Server (CVE‑2026‑45659) allows an attacker to execute arbitrary code via deserialization of untrusted data. CISA has placed the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild.
Exploitability — CVSS 8.8 (High). Public proof‑of‑concept code and real‑world exploitation reports are cited by CISA, indicating a weaponized, actively used exploit.
Affected Products — Microsoft SharePoint Server (on‑premises) versions prior to the security update released in July 2026.
Why It Matters for Compliance & Audit Readiness
- SOC 2 Access Controls – An unpatched RCE bypasses logical access boundaries, violating the CC6.1 “Logical Access Security” control. Demonstrating timely patch management is essential evidence for a compliant audit.
- Continuous Monitoring – Detecting exploitation attempts via SIEM or endpoint telemetry provides the audit‑ready logs required for the CC7.2 “System Monitoring” control.
- Enterprise Buyer Expectations – Many SOC 2‑certified customers now require proof that critical services (e.g., SharePoint) are patched within vendor‑defined SLAs before signing contracts.
Recommended Actions
- Apply Microsoft’s July 2026 security update for SharePoint Server immediately.
- Verify patch deployment across all on‑premises SharePoint instances using automated inventory tools.
- Enable and tune logging for deserialization‑related events; forward logs to a centralized SIEM for continuous monitoring.
- Map the remediation steps to SOC 2 CC6.1 and CC7.2 controls and retain evidence for the next audit cycle.
Source: The Hacker News – SharePoint RCE CVE‑2026‑45659 Added to CISA KEV After Active Exploitation