The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Microsoft SharePoint remote code execution vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. Federal civilian agencies have been ordered to remediate by Saturday under the requirements of Binding Operational Directive (BOD) 26-04.
Vulnerability Details
The flaw, tracked as CVE-2026-45659 with a CVSS score of 8.8, stems from a deserialization of untrusted data weakness in SharePoint Server. It allows any authenticated attacker holding minimum Site Member permissions to execute arbitrary code remotely, without requiring elevated privileges or user interaction.
Microsoft describes the attack complexity as low, noting that an attacker does not need significant prior knowledge of the target system and can achieve repeatable success with a payload against a vulnerable component. The vulnerability is network-exploitable and reachable from the internet.
Affected products include SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Server 2016, and SharePoint Enterprise Server 2016.
Patch Timeline and Exposure
Microsoft released an out-of-band security update on May 21, after the patch was accidentally omitted from the May 2026 Patch Tuesday release cycle. Internet security monitoring organization Shadowserver is currently tracking more than 10,000 SharePoint servers exposed online, though the proportion of those servers that remain unpatched is not known.
Federal and Enterprise Guidance
BOD 26-04, issued last month, requires federal agencies to prioritize remediation based on several factors: KEV catalog inclusion, potential for automated exploitation at scale, public internet exposure of the asset, and whether successful exploitation grants partial or total control of the targeted system.
CISA emphasized that organizations unable to apply mitigations should consider discontinuing use of the affected product. All enterprises, not just federal agencies, are advised to apply Microsoft’s patches as quickly as possible.
Broader SharePoint Risk Pattern
CVE-2026-45659 is the latest in a sustained pattern of SharePoint targeting. Since 2021, CISA has catalogued 11 SharePoint vulnerabilities abused in attacks, seven of which have also been tied to ransomware operations. A separate SharePoint zero-day was patched by Microsoft in April 2026, and CISA issued a warning about yet another SharePoint flaw being exploited in March of this year.
- CVE: CVE-2026-45659
- CVSS: 8.8 (High)
- Attack vector: Network, low complexity, low privileges required, no user interaction
- Patch available: Yes, released May 21 via out-of-band update
- Federal remediation deadline: Saturday, per BOD 26-04
