CISA Adds Actively Exploited SharePoint RCE (CVE-2026-45659) to KEV Catalog
7월 13, 2026 • César Daniel Barreto
On July 1, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft SharePoint remote code execution flaw to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2026-45659 and rated CVSS 8.8, the vulnerability came with an unusually tight remediation window: the Binding Operational Directive deadline for federal agencies was set for July 4, 2026, just three days after listing.
A deserialization flaw in SharePoint Server
CVE-2026-45659 is a remote code execution vulnerability caused by deserialization of untrusted data. It affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Exploitation requires authenticated access — but only at the low “Site Member” level, with no administrative or elevated privileges needed — and can be carried out over the network. That low bar is what makes it dangerous: any SharePoint deployment with self-service sign-up or broadly granted membership is a realistic target.
Patched in May, exploited by July
Microsoft shipped fixes for the flaw back in May 2026, so organizations that patch promptly are already protected. The risk lives in the gap between patch availability and deployment — CISA’s KEV listing means the vulnerability is being exploited in the wild now, roughly two months after the fix was published. Notably, Microsoft’s own advisory tags the bug with an “Exploitation Less Likely” assessment, a useful reminder that vendor exploitability ratings and real-world attacker behavior do not always line up.
What to do now
If you run SharePoint Server Subscription Edition, 2019, or Enterprise 2016, apply Microsoft’s May 2026 security updates immediately if you have not already. SharePoint has been a repeated target for ransomware crews and state-linked actors, and an authenticated RCE that needs only Site Member access is exactly the kind of foothold those groups look for. Review who holds membership on internet-facing SharePoint sites, tighten self-registration, and closely monitor any server that stayed unpatched after May for signs of compromise.

세자르 다니엘 바레토
세자르 다니엘 바레토는 존경받는 사이버 보안 작가이자 전문가로, 복잡한 사이버 보안에 대한 심도 있는 지식과 복잡한 사이버 보안 주제를 단순화하는 능력으로 유명합니다. 네트워크 보안 및 데이터 보호에 대한 폭넓은 경험을 바탕으로 보안 및 데이터 보호 분야에서 폭넓은 경험을 쌓은 그는 정기적으로 최신 사이버 보안 트렌드에 대한 사이버 보안 트렌드에 대한 통찰력 있는 기사와 분석을 정기적으로 제공하고 있습니다.