CISA Adds Actively Exploited SharePoint RCE (CVE-2026-45659) to KEV Catalog
július 13, 2026 • César Daniel Barreto
On July 1, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft SharePoint remote code execution flaw to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2026-45659 and rated CVSS 8.8, the vulnerability came with an unusually tight remediation window: the Binding Operational Directive deadline for federal agencies was set for July 4, 2026, just three days after listing.
A deserialization flaw in SharePoint Server
CVE-2026-45659 is a remote code execution vulnerability caused by deserialization of untrusted data. It affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Exploitation requires authenticated access — but only at the low “Site Member” level, with no administrative or elevated privileges needed — and can be carried out over the network. That low bar is what makes it dangerous: any SharePoint deployment with self-service sign-up or broadly granted membership is a realistic target.
Patched in May, exploited by July
Microsoft shipped fixes for the flaw back in May 2026, so organizations that patch promptly are already protected. The risk lives in the gap between patch availability and deployment — CISA’s KEV listing means the vulnerability is being exploited in the wild now, roughly two months after the fix was published. Notably, Microsoft’s own advisory tags the bug with an “Exploitation Less Likely” assessment, a useful reminder that vendor exploitability ratings and real-world attacker behavior do not always line up.
What to do now
If you run SharePoint Server Subscription Edition, 2019, or Enterprise 2016, apply Microsoft’s May 2026 security updates immediately if you have not already. SharePoint has been a repeated target for ransomware crews and state-linked actors, and an authenticated RCE that needs only Site Member access is exactly the kind of foothold those groups look for. Review who holds membership on internet-facing SharePoint sites, tighten self-registration, and closely monitor any server that stayed unpatched after May for signs of compromise.

César Dániel Barreto
César Daniel Barreto elismert kiberbiztonsági író és szakértő, aki mélyreható ismereteiről és képességéről ismert, hogy egyszerűsítse a bonyolult kiberbiztonsági témákat. Kiterjedt tapasztalattal rendelkezik a hálózatbiztonság és az adatvédelem terén, rendszeresen hozzájárul betekintő cikkekkel és elemzésekkel a legújabb kiberbiztonsági trendekről, oktatva mind a szakembereket, mind a nagyközönséget.