SharePoint remote code execution flaw added to CISA KEV after active exploitation
CISA has added a SharePoint remote code execution flaw to its Known Exploited Vulnerabilities catalog after confirming active exploitation, months after Microsoft rated it less likely to be attacked. The bug (CVE-2026-45659, CVSS 8.8) comes from unsafe deserialization of untrusted data and lets an authenticated attacker with only Site Member permissions run code on a SharePoint server over the network, with low complexity and no user interaction. Microsoft patched it in May for SharePoint Server Subscription Edition, 2019, and Enterprise 2016. On-premises SharePoint is a repeated target because it holds sensitive data and is often internet-facing, and it has a long history of weaponized code execution flaws.
- Check
- Confirm the May 2026 SharePoint updates are applied to all on-premises servers, restrict internet exposure, and hunt for web shells, unexpected scheduled tasks, and unauthorized file changes on internet-facing SharePoint.
- Affected
- On-premises SharePoint Server Subscription Edition, 2019, and Enterprise 2016 missing the May 2026 patch (CVE-2026-45659); any authenticated user with Site Member permissions can run code remotely on the server.
- Fix
- Apply Microsoft's May 2026 SharePoint updates now, limit SharePoint to trusted networks or a VPN, tighten privileged access, and run a compromise assessment on internet-facing servers given confirmed exploitation.