CISA Warns SharePoint RCE Under Active Exploitation
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog on July 1, 2026, following confirmed evidence of active exploitation in the wild. The vulnerability is a high-severity remote code execution (RCE) flaw affecting Microsoft SharePoint Server, stemming from improper deserialization of untrusted data.
The flaw allows authenticated attackers with low privileges to execute arbitrary code on affected SharePoint servers. Given SharePoint's ubiquitous deployment in enterprise environments — including government agencies, financial institutions, and healthcare organizations — the attack surface is substantial. CISA's KEV addition triggers a mandatory patching deadline for federal civilian agencies under Binding Operational Directive 22-01, with compliance required by July 4, 2026.
What makes this particularly urgent is the timing. Many organizations are operating with reduced security staffing during the July 4th holiday period in the United States, creating a window where attackers can exploit unpatched systems before defenders can respond. Security researchers at BleepingComputer confirmed that the vulnerability requires only authenticated access at a low privilege level, meaning any compromised account could serve as an entry point.
This SharePoint vulnerability follows a pattern of Microsoft server products being targeted via deserialization flaws. Organizations running on-premise SharePoint Server are at highest risk, while SharePoint Online (Microsoft 365) customers are protected by Microsoft's cloud infrastructure. The patch was released as part of Microsoft's June 2026 Patch Tuesday, meaning the fix has been available for several weeks but adoption rates remain concerningly low.
The July 4th patching deadline is brutal timing — holiday-week security gaps are exactly what ransomware operators plan around. If your organization runs on-premise SharePoint, treat this as a P0 today, not Monday. For MENA enterprises that often lag on patching cycles, this is a wake-up call: deserialization RCEs in Microsoft server products are reliable attack primitives, and attackers don't wait for your maintenance window.
Does this affect SharePoint Online (Microsoft 365)?
No. SharePoint Online is protected by Microsoft's cloud infrastructure. Only on-premise SharePoint Server deployments are affected and require immediate patching.