CISA adds SharePoint RCE flaw to KEV catalog: Microsoft's prediction fails
The agency confirms active exploitation of CVE-2026-45659, a vulnerability Microsoft considered 'less likely' to be exploited.
July 5, 2026 · 5 min read
TL;DR: CISA added the SharePoint vulnerability CVE-2026-45659 to the KEV catalog, confirming active exploitation. Microsoft had rated it as 'less likely' to be exploited. The flaw allows RCE with only site member permissions. Urgent patching required.
What happened?
On June 18, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog. This remote code execution (RCE) flaw in Microsoft SharePoint Server, caused by insecure deserialization, affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft had already released patches in its May 2026 security update, but CISA confirmed that attackers are actively exploiting the vulnerability in real-world attacks, contradicting Microsoft's initial assessment, which rated the likelihood of exploitation as 'less likely'.
Why is it important?
Inclusion in the KEV catalog is an unequivocal indicator that the vulnerability is being used in real attacks. Although CISA has not revealed who is exploiting the flaw or the scale of the attacks, its directive is clear: federal civilian agencies must apply patches by July 4, 2026, or remove affected systems. The vulnerability has a CVSS score of 8.8 (high), and while it is not pre-authentication, any attacker with valid credentials and 'Site Member' permissions can exploit it remotely with low complexity. Microsoft noted in its advisory: 'Any authenticated attacker could trigger this vulnerability. It does not require administrator or other elevated privileges.' This makes it a critical vector once the attacker has initial access, as 'Site Member' permissions are common in SharePoint environments.
Historically, SharePoint vulnerabilities have been a recurring target. For example, CVE-2023-29357, also an RCE in SharePoint, was classified by Microsoft as 'Exploitation More Likely' and was indeed massively exploited. The difference here is that Microsoft assessed CVE-2026-45659 as 'Less Likely', a prediction that has been disproven by events. This underscores a troubling pattern: patches provide a roadmap for attackers, who can reverse-engineer them to create exploits. As The Register notes, 'history has a habit of making those forecasts look optimistic once patches give attackers a roadmap to reverse-engineer.'
Consequences and deadlines
CISA requires federal civilian agencies to apply patches by July 4, 2026, following Binding Operational Directive 26-04. The agency warns that 'this type of vulnerability is a frequent attack vector for malicious actors and poses significant risks to the federal enterprise.' For the private sector, inclusion in the KEV is a maximum alert signal: attackers are already actively exploiting the flaw, and the window of opportunity to patch is closing rapidly. Organizations that have not yet applied the May 2026 patch must do so immediately, as any delay increases the risk of compromise.
The potential impact is broad. SharePoint is a widely used platform for collaboration and document management in businesses and governments. An attacker exploiting CVE-2026-45659 could execute arbitrary code on the server, potentially leading to data theft, malware installation, or lateral movement within the network. Since the vulnerability requires authentication, attackers will likely combine it with other techniques to obtain initial credentials, such as phishing or exploiting other vulnerabilities. The low complexity of the attack and the lack of need for elevated privileges make it an attractive vector for advanced persistent threat (APT) actors and ransomware groups.
What should readers know?
- Patch immediately: Microsoft's May updates fix CVE-2026-45659. If not yet applied, do so without delay. Verify that all affected SharePoint systems are updated.
- Review permissions: The vulnerability requires only 'Site Member' permissions. Limiting the number of users with these permissions reduces the attack surface. Consider implementing the principle of least privilege.
- Monitor activity: Look for signs of exploitation, such as unexpected code execution, anomalous processes on SharePoint servers, or suspicious network connections. Use endpoint detection and response (EDR) tools and log analysis.
- Don't trust 'less likely' assessments: History shows that patches provide a roadmap for attackers, who can reverse-engineer the code to create exploits. Patch based on technical severity, not probability estimates.
“Any authenticated attacker could trigger this vulnerability. It does not require administrator or other elevated privileges,” Microsoft noted in its advisory.
Historical context
This is not the first time Microsoft's exploitation predictions have proven optimistic. In 2023, CVE-2023-29357 (also in SharePoint) was classified as 'Exploitation More Likely' and was indeed massively exploited. The difference here is the 'Less Likely' rating, which has been disproven by events. Inclusion in the KEV underscores the need to patch based on technical severity rather than probability estimates. Additionally, the lifecycle of this vulnerability reflects a common pattern: Microsoft releases a patch, attackers analyze it, develop an exploit, and attacks begin. CISA, by confirming active exploitation, acts as a catalyst for organizations to prioritize patching.
Compared to previous events, such as the CVE-2021-40444 vulnerability in MSHTML, which was also added to the KEV after active exploitation, we see that the time between patch release and KEV inclusion has shortened. In the case of CVE-2026-45659, the patch was released in May 2026 and CISA added it to the KEV in June, just one month later. This indicates that attackers are acting quickly, and organizations must do the same.
Final recommendations
Organizations running SharePoint on-premises should prioritize applying the May 2026 security patch. Additionally, review access logs and activity for anomalous behavior. The window of opportunity for attackers has opened; patching speed will determine who wins the race. For those unable to patch immediately, CISA recommends considering mitigation measures such as isolating affected servers or implementing firewall rules to restrict access. However, the only definitive solution is to apply the patch. In a landscape where SharePoint vulnerabilities remain a frequent target, the lesson is clear: do not underestimate warnings and act swiftly.