CISA: Microsoft SharePoint RCE flaw now actively exploited

Brajeshwar1 pts0 comments

CISA: Microsoft SharePoint RCE flaw now actively exploited

Home<br>News<br>Security<br>CISA: Microsoft SharePoint RCE flaw now actively exploited

CISA: Microsoft SharePoint RCE flaw now actively exploited

By Sergiu Gatlan

July 2, 2026

06:52 AM

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on Wednesday that attackers have begun exploiting a high-severity Microsoft SharePoint remote code execution vulnerability.

Tracked as CVE-2026-45659, this security flaw stems from a deserialization of untrusted data weakness, and it allows attackers with low privileges to execute arbitrary code on unpatched SharePoint servers in low-complexity attacks that don't require user interaction.

"Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. In a network-based attack, an authenticated attacker, who has a minimum of Site Member permissions (PR:L), could execute code remotely on the SharePoint Server," Microsoft explains.

"The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component."

Microsoft released security updates for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition to address this vulnerability on May 21, saying that the CVE had been accidentally omitted from the May 2026 Security Updates.

Internet security watchdog group Shadowserver is currently tracking over 10,000 SharePoint servers exposed online. However, there is no information regarding how many of these devices have already been secured against ongoing CVE-2026-45659 attacks.

SharePoint servers exposed online (Shadowserver)

​With the April 2026 Patch Tuesday, Microsoft addressed another SharePoint vulnerability that was exploited in zero-day attacks.

On Wednesday, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their servers by Saturday, as required by Binding Operational Directive (BOD) 26-04.

BOD 26-04 was issued last month and requires U.S. federal agencies to prioritize patching based on whether the security flaw is included in CISA's KEV catalog, whether exploitation can be automated for large-scale attacks, whether the asset is publicly exposed online, and whether successful exploitation grants attackers partial or total control of the targeted device.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the cybersecurity agency warned yesterday. "Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines."

Since 2021, CISA has tagged 11 Microsoft SharePoint vulnerabilities that have been abused in the wild, with seven of them also exploited in ransomware attacks.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.<br>The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Related Articles:

CISA sets urgent deadline to fix Cisco flaw exploited in attacks<br>CISA orders feds to patch max severity Joomla plugin flaw by Friday<br>CISA gives feds three days to patch Ivanti flaw exploited as zero-day<br>CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks<br>Palo Alto Networks firewall zero-day exploited for nearly a month

Actively Exploited

CISA

Microsoft

Microsoft SharePoint

RCE

Remote Code Execution

Sergiu Gatlan

Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article

Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

U.S. offers $10 million for hackers targeting WhatsApp, Signal users

Hackers target Microsoft 365 accounts with 81 million login attempts

CISA: Windows BlueHammer flaw now exploited by ransomware gangs

Sponsor Posts

Build a GRC agent in minutes, no code. Get early access to Agent Studio.

CTI Starter Kit + 2026 SANS CTI Survey

Turn Indicators into Actionable Intelligence in OpenCTI with Criminal IP

Stay one step ahead of new threats in the new year. Join Huntress for the monthly Tradecraft Tuesday.

See how Pixellot discovered and secured hundreds of unmanaged AI agent identities in weeks, not months. Read the...

sharepoint cisa exploited microsoft flaw security

Related Articles