CISA Adds Actively Exploited SharePoint RCE (CVE-2026-45659) to KEV Catalog

juli 13, 2026 • César Daniel Barreto

On July 1, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft SharePoint remote code execution flaw to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2026-45659 and rated CVSS 8.8, the vulnerability came with an unusually tight remediation window: the Binding Operational Directive deadline for federal agencies was set for July 4, 2026, just three days after listing.

A deserialization flaw in SharePoint Server

CVE-2026-45659 is a remote code execution vulnerability caused by deserialization of untrusted data. It affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Exploitation requires authenticated access — but only at the low “Site Member” level, with no administrative or elevated privileges needed — and can be carried out over the network. That low bar is what makes it dangerous: any SharePoint deployment with self-service sign-up or broadly granted membership is a realistic target.

Patched in May, exploited by July

Microsoft shipped fixes for the flaw back in May 2026, so organizations that patch promptly are already protected. The risk lives in the gap between patch availability and deployment — CISA’s KEV listing means the vulnerability is being exploited in the wild now, roughly two months after the fix was published. Notably, Microsoft’s own advisory tags the bug with an “Exploitation Less Likely” assessment, a useful reminder that vendor exploitability ratings and real-world attacker behavior do not always line up.

What to do now

If you run SharePoint Server Subscription Edition, 2019, or Enterprise 2016, apply Microsoft’s May 2026 security updates immediately if you have not already. SharePoint has been a repeated target for ransomware crews and state-linked actors, and an authenticated RCE that needs only Site Member access is exactly the kind of foothold those groups look for. Review who holds membership on internet-facing SharePoint sites, tighten self-registration, and closely monitor any server that stayed unpatched after May for signs of compromise.

César Daniel Barreto, Cybersecurity Author at Security Briefing

César Daniel Barreto

César Daniel Barreto är en uppskattad cybersäkerhetsskribent och expert, känd för sin djupgående kunskap och förmåga att förenkla komplexa ämnen inom cybersäkerhet. Med lång erfarenhet inom nätverkssäkerhet nätverkssäkerhet och dataskydd bidrar han regelbundet med insiktsfulla artiklar och analyser om de senaste cybersäkerhetstrender och utbildar både yrkesverksamma och allmänheten.

sv_SESwedish