Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. CISA: Microsoft SharePoint RCE Flaw Now Actively Exploited
CISA: Microsoft SharePoint RCE Flaw Now Actively Exploited
NEWS

CISA: Microsoft SharePoint RCE Flaw Now Actively Exploited

CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation of a high-severity SharePoint...

Dylan H.

News Desk

July 2, 2026
3 min read

CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog on July 1, 2026, confirming active in-the-wild exploitation of a high-severity remote code execution flaw in Microsoft SharePoint. The vulnerability stems from deserialization of untrusted data and allows authenticated attackers holding only minimal Site Member permissions to execute arbitrary code on unpatched servers — no administrator access required.

What Is the Vulnerability?

CVE-2026-45659 is a deserialization-of-untrusted-data flaw in SharePoint that Microsoft patched on May 21, 2026. Despite being released outside the main May 2026 Patch Tuesday rollout, the patch is critical: the attack requires low complexity and no user interaction, making exploitation straightforward for any threat actor with access to an authenticated SharePoint account — a bar easily cleared through phishing or credential stuffing.

Microsoft has confirmed the lack of privilege requirements: "Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges."

Exposure and Federal Deadline

Shadowserver's tracking data shows more than 10,000 SharePoint servers are directly exposed to the internet globally, providing a significant attack surface. Under Binding Operational Directive 26-04, federal civilian agencies were given until July 5, 2026 — just three days after the KEV addition — to either apply the patch or discontinue use of affected systems.

This tight window reflects CISA's elevated concern. SharePoint has now accumulated 11 CVEs in the KEV catalog since 2021, with 7 of those directly tied to ransomware operations, making it one of the higher-risk enterprise platforms when left unpatched.

Affected Products

All three on-premises SharePoint editions are confirmed vulnerable:

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server Subscription Edition

Note that SharePoint Online (Microsoft 365) is not affected, as Microsoft manages patching for cloud-hosted environments directly.

Recommendations

Security teams should treat this as a critical priority:

  1. Apply the May 21, 2026 patch across all on-premises SharePoint instances immediately.
  2. Audit Site Member access — any authenticated user is a potential attack vector, including compromised employee accounts.
  3. Review internet-exposed SharePoint portals and consider restricting access via VPN or firewall rules if patching cannot be completed immediately.
  4. Monitor for post-exploitation indicators: unusual process spawning from SharePoint worker processes, lateral movement from SharePoint servers, or unexpected outbound connections.

Given the 7-out-of-11 ransomware connection rate for SharePoint KEV entries, defenders should also ensure backup integrity and incident response playbooks are current — a successful exploit here often serves as the initial foothold for a much larger intrusion.

#Vulnerability#Microsoft#CISA#RCE#Security Updates

Related Articles

Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across

Microsoft has released updates fixing CVE-2026-45659, a CVSS 8.8 remote code execution vulnerability in SharePoint Server that requires no specialized.

3 min read

CISA Orders Federal Agencies to Patch n8n RCE Flaw

CISA mandated all federal civilian agencies patch CVE-2025-68613, a CVSS 9.9 remote code execution flaw in the n8n workflow automation platform, after...

4 min read

CISA Orders Feds to Prioritize Patching Langflow Auth Bypass Flaw

CISA added CVE-2026-55255, a CVSS 9.9 IDOR authorization bypass in Langflow, to its Known Exploited Vulnerabilities catalog on July 7, ordering U.S. federal agencies to patch under the accelerated 3-day deadline of new Binding Operational Directive BOD 26-04.

6 min read
Back to all News