CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog on July 1, 2026, confirming active in-the-wild exploitation of a high-severity remote code execution flaw in Microsoft SharePoint. The vulnerability stems from deserialization of untrusted data and allows authenticated attackers holding only minimal Site Member permissions to execute arbitrary code on unpatched servers — no administrator access required.
What Is the Vulnerability?
CVE-2026-45659 is a deserialization-of-untrusted-data flaw in SharePoint that Microsoft patched on May 21, 2026. Despite being released outside the main May 2026 Patch Tuesday rollout, the patch is critical: the attack requires low complexity and no user interaction, making exploitation straightforward for any threat actor with access to an authenticated SharePoint account — a bar easily cleared through phishing or credential stuffing.
Microsoft has confirmed the lack of privilege requirements: "Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges."
Exposure and Federal Deadline
Shadowserver's tracking data shows more than 10,000 SharePoint servers are directly exposed to the internet globally, providing a significant attack surface. Under Binding Operational Directive 26-04, federal civilian agencies were given until July 5, 2026 — just three days after the KEV addition — to either apply the patch or discontinue use of affected systems.
This tight window reflects CISA's elevated concern. SharePoint has now accumulated 11 CVEs in the KEV catalog since 2021, with 7 of those directly tied to ransomware operations, making it one of the higher-risk enterprise platforms when left unpatched.
Affected Products
All three on-premises SharePoint editions are confirmed vulnerable:
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server Subscription Edition
Note that SharePoint Online (Microsoft 365) is not affected, as Microsoft manages patching for cloud-hosted environments directly.
Recommendations
Security teams should treat this as a critical priority:
- Apply the May 21, 2026 patch across all on-premises SharePoint instances immediately.
- Audit Site Member access — any authenticated user is a potential attack vector, including compromised employee accounts.
- Review internet-exposed SharePoint portals and consider restricting access via VPN or firewall rules if patching cannot be completed immediately.
- Monitor for post-exploitation indicators: unusual process spawning from SharePoint worker processes, lateral movement from SharePoint servers, or unexpected outbound connections.
Given the 7-out-of-11 ransomware connection rate for SharePoint KEV entries, defenders should also ensure backup integrity and incident response playbooks are current — a successful exploit here often serves as the initial foothold for a much larger intrusion.