A list item update becomes remote code execution on SharePoint
An admin at a mid-size hospital IT shop watches the CISA KEV alert land on the evening of July 1, 2026. CVE-2026-45659 is now on the catalog and federal agencies have until July 4 to patch, three days out over a national holiday. Her SharePoint Subscription Edition farm was supposedly patched in the May 2026 cumulative update, but one application server has been sitting on the pre-fix build because the change ticket stalled behind an approval. Microsoft's own advisory rated the flaw "Exploitation Less Likely" in May, and the CVE was quietly absent from the initial May Security Updates release notes. Six weeks later a low-privilege insider on that one server has a working path to remote code execution.
The Site Member permission that opens the door
Every SharePoint deployment grants a wide interior. Anyone in the Site Members group holds Contribute rights, the permission you assign to normal staff so they can add, edit, and delete items in shared lists and libraries. It is the standard corporate default because SharePoint is meant to be collaborative, and it is what every intern, contractor, and cross-team member inherits the moment they are invited to a site. The bar Microsoft describes in its advisory is precisely that: a minimum of Site Member permissions, not an admin or farm operator role. The vulnerability therefore lives inside every SharePoint environment with more than a handful of active users, and even a purely internal farm sits one compromised employee credential away from a valid starting position.
The LosFormatter call inside a list item update
SharePoint list items are richer than they look. Each list carries a schema of field definitions, and custom field types let developers or third-party solutions store structured objects inside a field value. When SharePoint persists such a field it routes through a serialization path in Microsoft.SharePoint.Library. On vulnerable builds that path invokes LosFormatter.Deserialize on the field value carried in an SPListItem.Update() call, treating attacker-controlled bytes as a trusted ASP.NET ViewState-style payload. Classification is CWE-502, Deserialization of Untrusted Data, and the CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H lands at 8.8.
LosFormatter is the ASP.NET-era serializer behind ViewState. It handles arbitrary object graphs through reflection and, on the vulnerable path, has no type binder or allow-list to constrain what it will instantiate. An attacker who can drop a payload shaped like a serialized __VIEWSTATE object into a custom field value, then trigger an update through a normal REST or CSOM call against endpoints such as _api/web/lists or _vti_bin/Lists.asmx, hands SharePoint a graph the deserializer rebuilds into any type chain the operator wants. Public ysoserial gadgets exist for exactly this deserializer, so exploitation is closer to configuration than research. Help Net Security and independent write-ups both note that the missing piece was type filtering on the way in, not the deserializer itself.
Why Microsoft's "Exploitation Less Likely" tag did not survive contact with the internet
Microsoft assigned an Exploitation Less Likely rating at disclosure in May 2026, and the CVE was inadvertently absent from the initial May 2026 Security Updates release notes until Microsoft filed a security note telling administrators the patch was already in the cumulative update. Between those two signals, a lot of patch queues let this one sit on the next window pile. That call was reasonable given the advisory in hand, and it was wrong. On July 1, CISA added CVE-2026-45659 to KEV citing evidence of active in-the-wild exploitation and set FCEB agencies a July 4 deadline. Public reporting has not attributed a specific threat actor yet, though on-prem SharePoint has been a durable ransomware and access-broker target through 2025 and 2026. Microsoft's tag was a prediction. The KEV listing is a measurement.
The CVSS 8.8 bucket is where an emergency hides
A CVSS 8.8 on a Tuesday morning shares its severity bucket with dozens of other findings, and a scanner that sorts by base score alone treats them as roughly equivalent. Add Microsoft's Exploitation Less Likely tag and any queue that folds vendor exploitability guidance into its priority calculation would push CVE-2026-45659 further down the list. That is the gap KEV was designed to close, and it is where a scoring engine that only reads the base vector loses. The real question is whether this SharePoint farm is reachable to a Site Member, running an unpatched build, and holding anything an attacker cares about. A CVSS-first queue cannot answer any of those on its own.
Reading CVE-2026-45659 through the TRIS layers
TRIS, the Threat and Risk Intelligence Scoring engine inside CVEasy AI, prices a finding against the specific asset it lives on rather than the generic CVE, and four layers do the work here.
Exploitation evidence. The July 1, 2026 KEV listing with a July 4 federal deadline moves the finding into the ACT band, the top tier reserved for confirmed abuse. TRIS keeps the distinction between "confirmed in-the-wild exploitation per CISA" and "PoC public but no in-wild reports" so a finding without KEV backing does not silently ride the same score.
Configuration and exposure. The finding only matures on SharePoint Servers below the May 2026 fixed builds. TRIS reads the running build directly rather than inferring from the last recorded patch date, because SharePoint farms frequently drift when one web front end catches an update and another does not. It also weighs whether Site Member permissions extend to a broad audience group, guest users, or partner federations, since a farm with tight membership prices differently from one that accepts every domain user.
Blast radius. SharePoint sits above the documents, forms, workflows, and service-account credentials it hosts. Code execution on the server is a straight line to the content database and to the SharePoint service accounts, which often hold rights into Exchange, Active Directory, and an integrated Microsoft 365 tenant. TRIS follows the asset relationship graph so those downstream identities surface as part of the finding, not as a separate ticket.
Environmental fit. An internet-reachable Subscription Edition farm on the pre-May build with a production Microsoft 365 tenant on the other side prices at the top of the ACT band. A lab farm behind a VPN with three users prices near the floor. Same CVE, two different real exposures.
The patch, the machine-key rotation, and the hunt
Apply the May 2026 SharePoint updates to every farm application server. Confirm builds directly: SharePoint Server Subscription Edition at 16.0.19725.20280 or later, SharePoint Server 2019 at 16.0.10417.20128 or later, SharePoint Enterprise Server 2016 at 16.0.5552.1002 or later. Farm drift is the failure mode, so verify every web front end and application server independently rather than trusting the change record.
Where patching is genuinely blocked before July 4, restrict the farm to internal networks, revoke external sharing invitations that map to Contribute rights, and audit which security groups grant Site Member on high-value site collections. None of those are substitutes for the patch, and every day past July 4 without one narrows the window in which containment carries any meaning.
For hunting, pull IIS logs from the web front ends and look for large POST bodies against list update endpoints such as _api/web/lists and _vti_bin/Lists.asmx originating from Site Member accounts. On the servers themselves, watch for unexpected child processes of the w3wp.exe worker (PowerShell, cmd.exe, rundll32, or unknown binaries under the SharePoint install path), because a successful deserialization gadget will spawn one. Any server that ran unpatched and was internet-reachable in the exploitation window should have its machine key, farm passphrase, and SharePoint service account credentials rotated, because a ViewState-shaped gadget can lift the ValidationKey and DecryptionKey on its way through and give the operator a persistent forgery primitive that outlives the patch.
How CVEasy AI surfaces this
CVEasy AI, the number one local-first CTEM platform, ingests KEV, vendor advisories, and confirmed exploitation reports as they land, cross-references them against the SharePoint farms in your inventory, and runs TRIS on the intersection. On the morning of July 2 that meant a single top-of-queue item for every operator running a SharePoint build below the May 2026 fixed level, with the specific web front ends listed, the fixed build target spelled out, the machine-key rotation scope attached as follow-up, and the July 4 deadline pulled onto the ticket. Inventory, farm configuration, and audit logs stay on your hardware, because the map of who holds Contribute rights on which site collection is not something you want stored in someone else's tenant.
Sources: The Hacker News (July), The Hacker News (May), The Register, SecurityWeek, SecurityAffairs, Help Net Security, NVD, SOCRadar, CISA KEV catalog