SharePoint Is on Fire Again: What CISA's CVE-2026-45659 Warning Means, and How to Hunt It
Download the Active Threats Hunt Pack
12 free Sigma detection rules built from attacks being exploited right now, including SharePoint CVE-2026-45659. MIT licensed, no signup. Every rule compiles cleanly with the current pySigma engine and converts to Splunk, Microsoft Sentinel, Elastic, and QRadar with one command.
If you run SharePoint on-prem, stop what you are doing and check your patch level. On July 2, 2026, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog and gave federal agencies until July 4 to patch. That is a two-day deadline. CISA does not hand those out unless something is actively burning.
We built a free detection pack for exactly this situation. It is 12 Sigma rules mapped to what attackers are doing in the wild this week, and you can grab it and run it today. First, here is why this one matters.
What CISA actually announced
CVE-2026-45659 is a remote code execution flaw in Microsoft SharePoint Server. It scores an 8.8 and comes from unsafe deserialization of untrusted data. An attacker sends a crafted serialized payload, SharePoint rebuilds and runs it inside the worker process (w3wp.exe) under the application pool identity, and now the attacker is executing code on your server.
The uncomfortable part is the timeline. Microsoft actually patched this in the May 2026 cycle, but rated exploitation as “less likely.” CISA has now confirmed it is being exploited in the real world, which is why it landed on the KEV list with a hard deadline. If you assumed a May patch you skipped was low risk, that assumption just expired.
You can read the CISA catalog entry here: cisa.gov/known-exploited-vulnerabilities-catalog.
Who is behind it
The activity is tied to Storm-2603, tracked by Sophos as GOLD SALEM, a suspected China-based group that has been hitting on-prem SharePoint since mid-2025. Their goal here is ransomware. They use this foothold to stage Warlock, and in some intrusions LockBit Black and x2anylock as well.
What makes this crew worth studying is that they barely use malware. They live off the land, leaning on legitimate tools so their activity blends into normal admin behavior. Their playbook looks like this:
- They pull the legitimate Velociraptor DFIR tool as
v2.msifrom attacker-controlled Cloudflare Workers subdomains (the.workers.devhosts), then use it as a quiet command channel. - They set up redundant remote access through VS Code tunnels, Cloudflare tunnels, Zoho Assist, SSH, and now TightVNC dropped silently as a service with PsExec.
- They run
masscanfor fast internal recon. - They launch the ransomware with DLL search-order hijacking, pairing the signed Windows Defender binary
MpCmdRun.exewith a spoofedMpclient.dll. - They kill security tools at the kernel with a bring-your-own-vulnerable-driver trick using the
NSecKrnl.sysdriver. - They create rogue local admin accounts (
backupadmin,admin_gpo) so they can get back in.
None of that trips a signature scanner, because most of it is real software being used for the wrong reasons. You catch it by hunting behavior, not files.
What the detection pack looks for
We packaged the hunt into 12 Sigma rules. Sigma is vendor-neutral, so the same rule converts to Splunk, Microsoft Sentinel, Elastic, QRadar, and more with one command. Every rule is tied to a real, dated campaign, and all 12 compile cleanly with the current pySigma engine.
Here is what each rule hunts:
The initial break-in. One rule flags the SharePoint worker process w3wp.exe spawning a command interpreter like cmd, PowerShell, or csc. That parent-child relationship is the clearest sign of CVE-2026-45659 exploitation. A second rule watches for new .aspx files written into the SharePoint LAYOUTS directory, which is where web shells get dropped.
The tooling and remote access. Separate rules catch Velociraptor or an MSI pulled from a .workers.dev host, VS Code launched with the tunnel option, cloudflared opening a tunnel, and Zoho Assist running where it should not. These are the channels the attacker uses to stay in and move data out.
The recon and the payload. One rule flags masscan and its high-rate scanning. Another catches the MpCmdRun.exe side-loading a Mpclient.dll from the wrong path, which is how Warlock actually launches. Another watches for the NSecKrnl.sys and other known EDR-killer drivers loading at the kernel.
The persistence. Rules cover rogue local admin creation with those specific account names, and remote access services like TightVNC or PsExec’s PSEXESVC being installed.
The credential theft. A final rule flags any non-browser process reading browser credential stores, which is the core move of the infostealers surging in mid-2026 like StealC, Amadey, and CastleStealer.
These are hunt-grade rules, not fire-and-forget alerts. A few of them (VS Code tunnels, Cloudflare tunnels, PsExec, Zoho Assist) will fire on legitimate use if those tools are sanctioned in your shop. Start in hunt mode, baseline what is normal, filter your known-good hosts, then promote the high-confidence ones to alerts. The pack ships with tuning notes for each.
Speed is the reason to move now. The fastest quarter of 2026 intrusions reached data exfiltration in about 72 minutes. If you are only looking at the encryption stage, you are already too late.
How to mitigate
Detection buys you time, but closing the door is what ends the risk. In rough priority order:
- Patch SharePoint now. Apply the Microsoft fix for
CVE-2026-45659across Subscription Edition, 2019, and 2016. If you cannot patch immediately, treat the server as exposed and watch it closely. - Hunt for compromise before you assume you are clean. A patch does not evict an attacker who is already in. Run the pack, and look specifically for the web shells, the rogue admin accounts, and the remote access tunnels described above.
- Lock down outbound tunnels and RMM. Block or alert on
cloudflared, VS Code tunnels, and any remote access tool you have not sanctioned. These are how the attacker keeps a way back in. - Turn on the telemetry the rules need. Deploy Sysmon or enable command-line process auditing, driver-load logging, and Windows service install events. Without that data, none of this is visible.
- Enforce MFA and least privilege. Rogue local admins and reused passwords do a lot of the work in these intrusions. Strong identity controls blunt the persistence.
- Enable tamper protection and monitor for BYOVD. Watch for known vulnerable drivers loading, and protect your EDR from being disabled.
This same discipline pays off beyond SharePoint. Qilin ransomware affiliates are exploiting the Check Point VPN auth-bypass CVE-2026-50751 right now using the same patch-then-hunt problem, and the fix there is to disable the deprecated IKEv1 protocol and apply Check Point’s hotfix.
Grab the pack
The full detection pack is free, MIT licensed, no signup. Fork it, run it against your telemetry, and tune it for your environment. If it helps you catch something, that is the whole point.
At ThreatHunter.ai, hunting the threats other tools miss is what we do every day. This is a piece of that work, shared with the community, because a SharePoint server getting ransomed on a two-day CISA deadline is everyone’s problem. If you want a hand running it against your environment, talk to us.
Stay patched, and go hunt.
ThreatHunter.ai • Brea, CA • Active Threats Hunt Pack • 12 Sigma rules • MIT licensed • Covers CISA KEV CVE-2026-45659 (SharePoint Server RCE), Storm-2603 / GOLD SALEM, and Warlock ransomware