CISA Warns Microsoft SharePoint Flaw Is Actively Exploited
CISA warns hackers are actively exploiting a Microsoft SharePoint vulnerability that allows remote code execution on unpatched servers. The flaw, tracked as CVE-2026-45659, has a high-severity rating and now appears in CISA’s Known Exploited Vulnerabilities Catalog.
The warning puts new pressure on organizations running affected SharePoint versions to apply Microsoft’s May security updates.
Microsoft SharePoint Vulnerability Added to CISA KEV Catalog
CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities Catalog after confirming active exploitation.
The flaw affects unpatched SharePoint servers and can allow attackers to execute code remotely. That makes it especially dangerous for organizations that expose SharePoint infrastructure to users, partners, or the internet.
How the SharePoint Flaw Works
CVE-2026-45659 stems from the deserialization of untrusted data.
According to Microsoft, an attacker with low-level authenticated access could exploit the vulnerability. A user with Site Member permissions may have enough access to trigger the flaw.
The attack does not require administrator privileges. It also does not require user interaction, which increases the risk for vulnerable SharePoint environments.
If attackers exploit the flaw successfully, they can achieve remote code execution on affected servers.
Affected SharePoint Versions
Microsoft released security fixes for several SharePoint products on May 21, 2026.
The affected versions include:
- SharePoint Enterprise Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition
Microsoft also said the CVE had accidentally been left out of the May 2026 Security Updates list. That omission may have caused some administrators to miss the update during normal patch review.
Organizations using any affected SharePoint version should confirm that they installed the correct May security updates.
Federal Agencies Must Patch by Saturday
CISA ordered U.S. federal civilian agencies to secure affected SharePoint servers by Saturday, July 4, 2026.
The order falls under Binding Operational Directive 26-04. The directive requires agencies to prioritize vulnerabilities based on active exploitation, automation risk, internet exposure, and the level of attacker control after exploitation.
If agencies cannot apply mitigations, they may need to stop using affected products until they can secure them.
In other security news, a malicious Perplexity AI Chrome extension has been removed from the store. Threat actors are also using malicious PyPI packages to target Telegram bot developers, while Microsoft is speeding up its Quantum-Safe security roadmap.
Via BleepingComputer
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
User forum
0 messages