CISA adds Microsoft SharePoint RCE to exploited vulnerabilities list after active attacks emerge
CISA has placed a Microsoft SharePoint remote code execution flaw into its Known Exploited Vulnerabilities catalog after determining that the issue is being used in active attacks.The vulnerability, t...
CISA has placed a Microsoft SharePoint remote code execution flaw into its Known Exploited Vulnerabilities catalog after determining that the issue is being used in active attacks.
The vulnerability, tracked as CVE-2026-45659, affects on-premises SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft patched the flaw in May, but the agency’s addition to the KEV list indicates that threat actors are now taking advantage of it in the wild.
The bug is tied to insecure deserialization and does not require pre-authentication. However, exploitation is still accessible to attackers who have legitimate access to a SharePoint environment. Microsoft said an authenticated user with as little as Site Member permissions could trigger remote code execution on a vulnerable server over the network.
What Microsoft and CISA say
- Microsoft rated the issue as difficult to exploit in real-world scenarios when the patch was released, describing exploitation as less likely.
- CISA’s KEV listing shows that active exploitation has since been confirmed.
- The flaw carries a CVSS score of 8.8, reflecting a high-severity impact.
CISA did not identify the attackers or say how many organizations may already be affected. Still, the agency warned that vulnerabilities of this type are commonly abused and can present substantial risk to federal systems.
Federal civilian agencies have been told to follow Binding Operational Directive 26-04 and apply Microsoft’s fix by July 4. If mitigation is not possible, agencies are expected to stop using the affected products.
The situation highlights a familiar pattern in vulnerability response: once patches are public, attackers often move quickly to reverse engineer them and target systems that have not yet been updated. For organizations running internet-facing SharePoint servers, the new KEV entry is a clear signal to verify patch status and reduce exposure immediately.
