CISA: Microsoft SharePoint RCE flaw now actively exploited

A Critical SharePoint Flaw is Being Actively Exploited by Hackers, Says CISA

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that a high-severity vulnerability in Microsoft’s SharePoint platform is being exploited by attackers. This flaw, tracked as CVE-2026-45659, allows hackers to execute arbitrary code on unpatched SharePoint servers with just low-level permissions. The vulnerability was first reported last month and has since been added to CISA’s Known Exploited Vulnerabilities Catalog (KEV).

The exploit works by taking advantage of a deserialization issue in SharePoint, which occurs when the platform processes malicious data sent from an authenticated attacker. This can happen even if the attacker doesn’t have administrative privileges. In fact, Microsoft explains that any authenticated user with Site Member permissions or higher can trigger this vulnerability, making it a low-complexity attack.

The vulnerability was first discovered by Microsoft in May and subsequently addressed through security updates for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. However, according to the internet security watchdog group Shadowserver, over 10,000 SharePoint servers remain exposed online, leaving them vulnerable to attacks.

CISA has added CVE-2026-45659 to its KEV catalog, which requires US federal agencies to prioritize patching based on several factors, including whether the vulnerability is actively being exploited and whether it can be automated for large-scale attacks. This move follows a trend of CISA adding critical vulnerabilities to its catalog in recent months. Since 2021, the agency has tagged over 11 Microsoft SharePoint vulnerabilities that have been abused by hackers.

The inclusion of CVE-2026-45659 in the KEV catalog has significant implications for federal agencies and organizations using SharePoint. The CISA warning emphasizes the importance of patching this vulnerability immediately to prevent potential attacks. “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the agency warned.

For security teams, this serves as a reminder that even seemingly low-level vulnerabilities can have devastating consequences if left unpatched. With over 10,000 SharePoint servers exposed online, it’s essential to prioritize patching and take proactive measures to prevent attacks. As CISA advises, stakeholders must evaluate each asset’s internet exposure and ensure adherence to patching guidelines.

Ultimately, this incident highlights the importance of staying vigilant in the face of emerging threats. It’s crucial for organizations to regularly test their systems and defenses to identify vulnerabilities before attackers do. By taking proactive steps to secure their infrastructure, security teams can prevent potential attacks and protect sensitive data from falling into the wrong hands.


Source: Bleeping Computer — 2026-07-02