CVE-2026-45659, a critical Remote Code Execution (RCE) flaw in Microsoft SharePoint, has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of early July 2026, confirming its active exploitation in the wild. Attackers can execute arbitrary code on vulnerable Microsoft SharePoint servers, posing a direct and severe threat to critical business data and infrastructure. Organizations should assume compromise if they're running unpatched instances and act immediately, especially as other major incidents like the FortiBleed credential theft campaign linked to INC and Lynx ransomware, Kubota's month-long breach, and a Scattered Spider hacker extradition highlight a highly active and diverse threat landscape.

What Happened

CISA added Microsoft SharePoint RCE vulnerability CVE-2026-45659 to its KEV catalog in early July 2026, confirming active exploitation of the flaw, as reported by BleepingComputer and The Hacker News. While specific technical details or a CVSS score haven't been released, an RCE in SharePoint allows an attacker to run commands at will on the compromised server. This level of access bypasses most security layers, giving attackers a strong foothold.

Simultaneously, a new credential theft campaign dubbed FortiBleed surfaced, actively exploiting vulnerabilities in Fortinet devices. BleepingComputer and The Hacker News report this campaign uses stolen credentials for network intrusion, subsequently deploying INC and Lynx ransomware. Attackers are using this as a direct pipeline to ransomware.

Adding to the week's news, agricultural and construction giant Kubota Corporation disclosed a network breach that persisted for approximately one month, from early May 2026 until detection in early June 2026. The company has not confirmed the type of data exposed or the number of affected users. Separately, US authorities extradited a 19-year-old individual alleged to be a member of the notorious Scattered Spider hacking group, known for social engineering and SIM-swapping against major targets like MGM Resorts in 2023. Beyond CVE-2026-45659, no other new CVEs were added to CISA's KEV catalog in the last seven days, according to available reports.

Why It Matters

A SharePoint RCE hitting the KEV catalog is serious because SharePoint is widely deployed. Most enterprises rely on it for collaboration, document management, and intranet services. An RCE means an attacker can essentially own that server, gaining access to sensitive internal documents, and potentially using the server as a pivot point for lateral movement into the rest of the network. This played out with ProxyLogon in 2021, and the impact was significant.

The FortiBleed campaign hitting Fortinet devices is another major concern. Fortinet appliances often sit at the network edge, acting as critical gateways and VPN concentrators. Compromising these devices provides attackers with an ideal entry point and, more critically, access to valid credentials. Those credentials are valuable for ransomware groups like INC and Lynx, enabling them to bypass MFA (if not properly configured), move laterally using T1078 Valid Accounts, and deploy ransomware rapidly. The link to two distinct ransomware operations underscores the campaign's effectiveness and reach.

Kubota's month-long breach shows that initial access often leads to extended dwell times, allowing for deeper reconnaissance and data exfiltration before detection. The company has not yet confirmed specific data exfiltration, but the prolonged access period suggests a high risk. And the extradition of a Scattered Spider member signals law enforcement's continued focus on disrupting financially motivated cybercrime, although the overall volume of attacks isn't slowing down. These incidents collectively paint a picture of relentless and multifaceted threats.

Affected Scope & Remediation

Any organization running unpatched Microsoft SharePoint servers is exposed to CVE-2026-45659. Given its RCE classification and active exploitation, patching isn't optional; it's an immediate imperative. Federal agencies have a 6-month deadline to patch KEV vulnerabilities, but for everyone else, the clock started ticking the moment CISA added it.

For FortiBleed, organizations with Fortinet devices need to ensure they're patched against known vulnerabilities that could lead to credential theft. Strong authentication, including multi-factor authentication (MFA) with solutions like YubiKey, is essential, especially for any accounts accessing Fortinet administrative interfaces or VPNs. Regularly audit logs for unusual access patterns from Fortinet devices.

Here's what you need to do right now:

Product Version Range Fixed Version
Microsoft SharePoint All unpatched versions (specifics pending vendor advisory) Apply latest security updates (MSFT-specific patch)
Key metrics chart for SharePoint RCE Exploited; FortiBleed Linked to Ransomware
Key metrics — data from sources cited above

While specific patch details for CVE-2026-45659 are pending, the immediate mitigation involves isolating external-facing SharePoint servers. Consider disabling external access temporarily if business operations allow, or place them behind a web application firewall (WAF) to filter malicious requests. For federal agencies, the CVE-2026-45659 remediation deadline is January 2027, six months from its KEV addition.

For FortiBleed, review all Fortinet appliance configurations for unnecessary open ports, default credentials, and ensure logging is enabled and monitored. Solutions like CrowdStrike Falcon or SentinelOne for endpoint detection and response (EDR) can help identify post-exploitation activities like credential dumping or lateral movement, even if the initial Fortinet device exploit isn't caught. Ensure SI-2 Flaw Remediation processes are mature and rapid.

Timeline (Approximate based on KEV listing):

  • Disclosure Date: Not publicly available
  • Patch Release: Not publicly available
  • First Known Exploit: Prior to or around early July 2026 (implied by KEV listing)
  • CISA KEV Listing: Early July 2026
NVD advisory — CVE-2026-45659
NVD advisory — CVE-2026-45659

Technical Breakdown

The CVE-2026-45659 vulnerability in Microsoft SharePoint, being an RCE, likely stems from issues allowing unauthenticated or low-privileged users to inject and execute arbitrary code on the server. Common vectors for SharePoint RCEs include insecure deserialization, improper handling of uploaded files, or vulnerabilities in specific web parts or APIs that don't adequately validate user input. Attackers can find a back door in your office building's network closet; they don't even need a key to the front door, they can just walk in and plug in their own computer. They get immediate, unfettered access to the server. This maps directly to T1190 Exploit Public-Facing Application for initial access and potentially T1068 Exploitation for Privilege Escalation if the initial RCE shell isn't running with SYSTEM privileges.

The FortiBleed campaign, on the other hand, illustrates a multi-stage attack. It starts with T1190 Exploit Public-Facing Application against a Fortinet device to gain initial access. Once inside, attackers use various methods for T1003 OS Credential Dumping, possibly targeting memory or configuration files, to exfiltrate valid credentials. These stolen credentials are then used for T1078 Valid Accounts to perform lateral movement across the network. The final stage involves the T1486 Data Encrypted for Impact using INC or Lynx ransomware and potentially T1490 Inhibit System Recovery by deleting backups or shadow copies. A thief not just picks your front door lock, but also finds your spare house keys and then systematically locks every door from the inside before you realize what's happening. Implementing IA-5 Authenticator Management and strong AC-2 Account Management is vital to prevent credential reuse.

Historical Context

This isn't SharePoint's first encounter with critical, actively exploited RCEs. A prime example is the ProxyLogon vulnerabilities (including CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) affecting Microsoft Exchange Server in March 2021. While ProxyLogon targeted Exchange, the scenario was strikingly similar: multiple RCE and privilege escalation flaws chained together, leading to widespread, active exploitation by multiple threat actors, including state-sponsored groups.

Similarities between ProxyLogon and CVE-2026-45659 include the critical nature of the RCE, the widespread impact due to the product's ubiquity in enterprises, and the rapid move to CISA's KEV catalog due to active exploitation. Both underscore the immediate need for patching when such flaws are discovered. The difference lies in the specific software platform and the technical vectors. ProxyLogon involved multiple server-side request forgery, deserialization, and post-authentication arbitrary file write issues, whereas CVE-2026-45659's specific mechanism is still not publicly detailed. However, the operational impact – immediate server compromise – remains the same. This highlights that RA-5 Vulnerability Monitoring and Scanning needs to be constant, not just reactive.

Data at a Glance

Metric Value Source
CVE ID CVE-2026-45659 NVD
Exploitation Status Actively Exploited CISA
CISA KEV Listing Date Early July 2026 BleepingComputer
KEV Deadline for Federal Agencies 6 months CISA
Ransomware Groups Linked to FortiBleed 2 groups BleepingComputer
Kubota Breach Duration 1 month Kubota Corporation disclosure
Scattered Spider Extradition Age 19 years US authorities (unconfirmed by the individual or legal representation)

Our Take

We're seeing a clear trend: critical vulnerabilities in widely used enterprise software, especially collaboration tools and network edge devices, are quickly moving from disclosure to active exploitation. The simultaneous emergence of a SharePoint RCE on CISA's KEV list and a new credential theft campaign hitting Fortinet devices, directly feeding ransomware operations, tells us that attackers are optimizing their initial access vectors and monetization strategies. It’s not enough to patch; we need constant monitoring, strong identity controls, and a clear incident response plan.

The CVEDaily Take

This confluence of active RCE exploitation and a sophisticated credential theft-to-ransomware pipeline presents a serious challenge for network defenders. The CVE-2026-45659 situation highlights the continued criticality of external-facing applications, while FortiBleed shows how quickly initial access can escalate to a full-blown ransomware incident. We question whether the Kubota Corporation's month-long dwell time was due to a lack of kernel-level telemetry or insufficient forensic logging on internal network segments. We think many organizations are not adequately prepared for an attacker that successfully breaches their perimeter and then lingers internally.

Is your team actively hunting for suspicious processes and network connections originating from your SharePoint servers and Fortinet devices, or just waiting for alerts?

FAQ

Q1: What is CVE-2026-45659 and why is it critical?
A1: CVE-2026-45659 is a Remote Code Execution (RCE) vulnerability affecting Microsoft SharePoint. It's critical because it allows attackers to execute arbitrary code on vulnerable SharePoint servers, essentially taking full control, and has been confirmed by CISA to be actively exploited in the wild.

Q2: What is the FortiBleed campaign?
A2: FortiBleed is a credential theft campaign targeting Fortinet devices, exploiting vulnerabilities to steal credentials. These stolen credentials are then used by ransomware groups, specifically INC and Lynx, to gain further access to corporate networks and deploy their ransomware strains.

Q3: What's the immediate action for organizations?
A3: Organizations must immediately patch all Microsoft SharePoint servers to mitigate CVE-2026-45659. Additionally, ensure all Fortinet devices are fully patched, enforce strong multi-factor authentication on all administrative and VPN accounts, and actively monitor network traffic and logs for suspicious activity indicative of credential theft or post-exploitation.