CISA Confirms Active Exploitation of Microsoft SharePoint Bug Rated Low Risk by Microsoft

CISA warns of active attacks on a Microsoft SharePoint bug that Microsoft underrated, requiring urgent patching by July 4.

Jul 2, 2026
3 min read
Technobezz
CISA Confirms Active Exploitation of Microsoft SharePoint Bug Rated Low Risk by Microsoft

Don't Miss the Good Stuff

Get tech news that matters delivered weekly. Join 50,000+ readers.

CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog Wednesday after confirming active exploitation of the SharePoint Server remote code execution flaw. The vulnerability carries a CVSS score of 8.8 and stems from a deserialization of untrusted data issue affecting SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft released fixes on May 21 after acknowledging the CVE had been accidentally omitted from that month's Patch Tuesday updates.

Unlike some of SharePoint's most dangerous bugs, this one requires authentication. But the bar is low. Any user with Site Member permissions, the most basic access level on a SharePoint site, can pull it off.

"Any authenticated attacker could trigger this vulnerability," Microsoft wrote in its advisory. "It does not require admin or other elevated privileges." The attack can be launched remotely over the network with low complexity and no user interaction, making it straightforward for attackers who have already established a foothold.

Microsoft rated the flaw "Exploitation Less Likely" when the patches landed in May, a prediction that lasted barely six weeks before CISA confirmed attackers were actively using it. CISA ordered Federal Civilian Executive Branch agencies to apply the patches by July 4 or discontinue use of affected systems, as required by Binding Operational Directive 26-04. The agency warned the vulnerability is "a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."

The Shadowserver Foundation is currently tracking over 10,000 SharePoint servers exposed online. CISA has tagged 11 Microsoft SharePoint vulnerabilities in its KEV catalog since 2021, seven of which were also exploited in ransomware attacks.

Share

More in News