Article 76QDS Microsoft said exploitation was 'less likely' ... but CISA just added SharePoint RCE to KEV list

Microsoft said exploitation was 'less likely' ... but CISA just added SharePoint RCE to KEV list

by
from www.theregister.com - Articles on (#76QDS)
Story ImageMicrosoft's prediction that attackers probably wouldn't rush to exploit a newly-patched SharePoint bug hasn't aged especially well. CISA has added CVE-2026-45659, a remote code execution flaw in on-premises Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalog after confirming that crimes are now actively exploiting it in the wild. The bug stems from an insecure deserialization issue and affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, all of which received patches from Microsoft in May. Unlike some of SharePoint's more infamous bugs, this one isn't pre-authentication, though attackers need surprisingly little to pull it off. According to Microsoft, anyone with valid credentials and nothing more than Site Member permissions can execute arbitrary code remotely on a vulnerable server. "Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges," Microsoft said in its advisory. "In a network-based attack, an authenticated attacker, who has a minimum of Site Member permissions (PR), could execute code remotely on the SharePoint Server." Microsoft also noted that the attack can be launched remotely over the network with low attack complexity, making it straightforward to exploit once an attacker has a foothold. CISA didn't disclose who's exploiting the flaw or how widespread the attacks are, but its guidance leaves little room for interpretation. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the agency warned. It directed federal civilian agencies to follow Binding Operational Directive 26-04 by applying Microsoft's fixes no later than July 4, or discontinue use of affected systems if mitigations aren't available. The vulnerability carries a CVSS score of 8.8, but perhaps the more interesting number is Microsoft's exploitability assessment. When the patches landed, Redmond rated real-world exploitation as "Less Likely." That's a prediction, not a guarantee, and history has a habit of making those forecasts look optimistic once patches give attackers a roadmap to reverse engineer. For anyone still exposing an unpatched SharePoint server to the internet, CISA's KEV listing is a reminder that the race between patching and exploitation is usually won by whoever starts first. (R)
External Content
Source RSS or Atom Feed
Feed Location http://www.theregister.co.uk/headlines.atom
Feed Title www.theregister.com - Articles
Feed Link https://www.theregister.com/
Reply 0 comments