CISA orders federal agencies to patch an actively exploited SharePoint code-execution flaw by July 4
Microsoft rated CVE-2026-45659 "exploitation less likely" and shipped the fix in May. Two months later it is on the federal must-patch list.

Janet Torvalds
July 3, 2026The U.S. Cybersecurity and Infrastructure Security Agency added a Microsoft SharePoint Server bug to its Known Exploited Vulnerabilities catalog on July 1, and told federal civilian agencies to patch it by July 4. The flaw is CVE-2026-45659, a remote code execution bug in on-premises SharePoint. Microsoft shipped the fix back in May. The patch is two months old. The exploitation is the new part.
What the bug actually is
CVE-2026-45659 carries a CVSS score of 8.8 and is a deserialization of untrusted data flaw. Microsoft and CISA both describe the effect the same way: an authorized attacker can execute code over the network. Deserialization is the step where a server takes structured data out of a request and rebuilds it into live objects in memory. Do that without checking what you are rebuilding, and a crafted payload stops being data and starts being instructions. That failure mode is catalogued as CWE-502, and it has been a dependable way into enterprise software for a decade.
The permission bar is the detail worth sitting with. Microsoft's advisory says any authenticated user can trigger it, with a minimum of Site Member permissions and no admin rights required. One low-privilege account, phished or bought, is enough to reach code execution on the server. This is not a bug that needs a domain admin to matter.
Who is affected
The affected products are the on-premises builds: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. SharePoint Online, the hosted version, is not on the list. If you run your own SharePoint box, this is aimed at you. If Microsoft runs it for you, it is not.
The "exploitation less likely" part
Here is the line that ages badly. When Microsoft published the fix in May, its advisory tagged the flaw "Exploitation Less Likely." That label is a forecast, not a promise, and this is the run where the forecast missed. CISA does not add entries to KEV on a hunch. It adds them when there is evidence of exploitation in the wild, which is what it says happened here.
What is not known is nearly everything past that. Microsoft and CISA have not said how the flaw is being exploited, who is doing it, or what they are after. There is no confirmed link to a ransomware campaign so far. I am not going to fill those blanks with a guess, and you should be skeptical of anyone who does this week.
Context, held at arm's length: on-premises SharePoint has been a standing target. Storm-2603, the group behind Warlock ransomware, has been exploiting on-prem SharePoint flaws since mid-2025. There is no public evidence tying that group to this specific CVE. Treat the history as a reason to move fast, not as an attribution.
What to do
Apply the May update. The July 4 deadline is binding on federal civilian agencies under CISA's Binding Operational Directive, but the reasoning is not federal property. A network-reachable server running an exploited, already-patched RCE is a bad thing to leave alone. Check whether your SharePoint instance is exposed to the internet. Patch it. Then look for the unglamorous signs of a bad day already underway: SharePoint spawning processes it should not, outbound connections that make no sense, admin accounts nobody remembers creating.
The fix has existed since May. The three-day clock only applies to the servers that never got it.