The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high-severity Microsoft SharePoint Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on July 1, 2026, citing confirmed evidence of active exploitation.
The vulnerability, tracked as CVE-2026-45659 with a CVSS score of 8.8, stems from the deserialization of untrusted data within SharePoint Server. Deserialization flaws are a well-established attack class that can allow remote attackers to execute arbitrary code on affected systems without requiring physical access.
Risk and Federal Mandate
CISA classifies this class of vulnerability as a frequent attack vector for malicious actors and notes it poses significant risk to the federal enterprise. Under Binding Operational Directive (BOD) 26-04, Federal Civilian Executive Branch (FCEB) agencies are required to prioritize rapid remediation of high-risk vulnerabilities listed in the KEV catalog, particularly those present on publicly exposed assets where successful exploitation could grant total control of the affected system.
BOD 26-04 also establishes expectations for agencies to assess whether threat actors may have compromised systems before a patch was applied, adding a forensic accountability layer to the remediation process.
Broader Recommendations
While the directive formally applies only to federal agencies, CISA is encouraging all organizations to adopt risk-based vulnerability management practices and treat KEV catalog entries as high-priority remediation targets. Organizations running Microsoft SharePoint Server should assess their exposure promptly and apply available mitigations.
- Vulnerability: CVE-2026-45659, Microsoft SharePoint Server Deserialization of Untrusted Data
- CVSS Score: 8.8 (High)
- Exploitation status: Actively exploited in the wild
- Applicable directive: BOD 26-04 for FCEB agencies
Security teams should verify patch status across all SharePoint Server instances, prioritizing any deployments exposed to the public internet.
