Microsoft SharePoint Servers Under Attack: CISA Warns of Actively Exploited Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a stark warning to organizations using Microsoft SharePoint servers, indicating that attackers have begun exploiting a high-severity vulnerability in the platform. Tracked as CVE-2026-45659, this remote code execution flaw allows low-privileged attackers to execute arbitrary code on unpatched SharePoint servers with ease.
The vulnerability stems from a deserialization of untrusted data weakness, which Microsoft explains can be triggered by an authenticated attacker with minimal permissions – specifically, Site Member (PR:L) privileges. This means that even users who are not administrators or have elevated privileges can exploit the flaw and execute code remotely on the SharePoint server. The attack vector is considered network-based (AV:N), as it can be exploited from the internet, and the complexity of the attack is deemed low (AC:L), making it a potentially lucrative target for attackers.
Microsoft had actually released security updates to address this vulnerability back in May 2026, but accidentally left out the CVE reference. The company has since acknowledged that the flaw was being actively exploited by attackers. Internet security watchdog group Shadowserver estimates that over 10,000 SharePoint servers are exposed online, although it’s unclear how many of these devices have already been secured against ongoing attacks.
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV), which requires federal agencies to prioritize patching based on a set of criteria. The agency is urging all organizations to take immediate action and secure their servers, particularly those that are publicly exposed online or can be exploited for large-scale attacks.
This latest warning from CISA comes as no surprise, given the agency’s long-standing concerns about Microsoft SharePoint vulnerabilities. Since 2021, CISA has tagged 11 such vulnerabilities that have been abused in the wild, with seven of them also exploited in ransomware attacks. The fact that this particular flaw is being actively exploited highlights the need for organizations to prioritize patching and take a proactive approach to security.
As a practical takeaway, it’s essential for organizations to regularly test their systems and ensure they are up-to-date with the latest security patches. This includes not only SharePoint servers but also all other systems and software that may be vulnerable to exploitation. By staying ahead of potential threats and taking swift action when vulnerabilities are identified, organizations can significantly reduce their risk exposure and protect against costly cyber attacks.
Source: Bleeping Computer — 2026-07-02