CVE-2026-45659 Microsoft SharePoint Server Deserialization RCE
Detects exploitation of CVE-2026-45659, a critical deserialization of untrusted data vulnerability in Microsoft SharePoint Server. Successful exploitation allows remote code execution by sending crafted serialized .NET objects to SharePoint web endpoints. This CVE is listed in CISA KEV indicating active exploitation in the wild.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Microsoft
- Product
- SharePoint Server
Weakness (CWE)
Timeline
- Disclosed
- July 1, 2026
References & Proof of Concept
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-45659
What is CVE-2026-45659 CVE-2026-45659 Microsoft SharePoint Server Deserialization RCE?
CVE-2026-45659 Microsoft SharePoint Server Deserialization RCE (CVE-2026-45659) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-45659 Microsoft SharePoint Server Deserialization RCE, covering the data sources and telemetry it touches: W3CIISLog, SecurityEvent, DeviceProcessEvents. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
let suspiciousSharePointPaths = dynamic(["/sites/", "/_layouts/", "/_vti_bin/", "/Lists/", "/_api/"]);
let knownBadUserAgents = dynamic(["python-requests", "curl", "Go-http-client", "masscan", "nuclei"]);
union
(
W3CIISLog
| where csUriStem has_any ("_vti_bin", "_layouts", "viewlsts.aspx", "upload.aspx")
| where csMethod in ("POST", "PUT")
| where sc_status in (200, 500, 503)
| where cs_bytes > 5000
| extend isSuspiciousUA = csUserAgent has_any (knownBadUserAgents)
| project TimeGenerated, csUriStem, csMethod, sc_status, cs_bytes, csUserAgent, cIp, isSuspiciousUA, Computer
),
(
SecurityEvent
| where EventID in (4688, 4689)
| where ParentProcessName has_any ("w3wp.exe", "owstimer.exe", "microsoft.sharepoint.exe")
| where NewProcessName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe")
| project TimeGenerated, Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId
),
(
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("w3wp.exe", "owstimer.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName
)
| extend AlertName = "CVE-2026-45659 SharePoint Deserialization Exploitation Attempt" Detects SharePoint deserialization exploitation via IIS logs showing anomalous POST requests to sensitive endpoints combined with child process spawning from SharePoint worker processes (w3wp.exe).
Data Sources
Required Tables
False Positives
- Legitimate SharePoint administrative operations that generate large POST requests to _layouts or _vti_bin endpoints
- Automated backup or migration tools that interact with SharePoint APIs using non-browser user agents
- SharePoint health analyzer or monitoring tools spawning diagnostic child processes from w3wp.exe
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-45659 Microsoft SharePoint Server Deserialization RCE (CVE-2026-45659) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windows Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-45659
References (4)
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-45659
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-45659 SharePoint Deserialization Simulation via ysoserial.net
Expected signal: IIS logs should show POST request to /_vti_bin/UserProfileService.asmx with large cs-bytes; Sysmon Event ID 1 should capture cmd.exe spawned by w3wp.exe with CommandLine containing whoami
- Test 2SharePoint Worker Process Suspicious Child Simulation
Expected signal: Sysmon Event ID 1 showing cmd.exe execution with Network Service account; Windows Security Event ID 4688 capturing process creation with suspicious command line arguments
- Test 3SharePoint Endpoint Fuzzing and Web Shell Upload Detection Test
Expected signal: Sysmon Event ID 11 (FileCreate) capturing .aspx file creation in SharePoint web directory path; Windows Security Event ID 4663 (file access) if object access auditing is enabled
Unlock Pro Content
Get the full detection package for CVE-2026-45659 including response playbook, investigation guide, and atomic red team tests.