The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high-severity Microsoft SharePoint Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on July 1, 2026, citing confirmed evidence of active exploitation.

The vulnerability, tracked as CVE-2026-45659 with a CVSS score of 8.8, stems from the deserialization of untrusted data within SharePoint Server. Deserialization flaws are a well-established attack class that can allow remote attackers to execute arbitrary code on affected systems without requiring physical access.

Risk and Federal Mandate

CISA classifies this class of vulnerability as a frequent attack vector for malicious actors and notes it poses significant risk to the federal enterprise. Under Binding Operational Directive (BOD) 26-04, Federal Civilian Executive Branch (FCEB) agencies are required to prioritize rapid remediation of high-risk vulnerabilities listed in the KEV catalog, particularly those present on publicly exposed assets where successful exploitation could grant total control of the affected system.

BOD 26-04 also establishes expectations for agencies to assess whether threat actors may have compromised systems before a patch was applied, adding a forensic accountability layer to the remediation process.

Broader Recommendations

While the directive formally applies only to federal agencies, CISA is encouraging all organizations to adopt risk-based vulnerability management practices and treat KEV catalog entries as high-priority remediation targets. Organizations running Microsoft SharePoint Server should assess their exposure promptly and apply available mitigations.

  • Vulnerability: CVE-2026-45659, Microsoft SharePoint Server Deserialization of Untrusted Data
  • CVSS Score: 8.8 (High)
  • Exploitation status: Actively exploited in the wild
  • Applicable directive: BOD 26-04 for FCEB agencies

Security teams should verify patch status across all SharePoint Server instances, prioritizing any deployments exposed to the public internet.