preloader

· devops security digital-security cve microsoft sharepoint patch-management enterprise europe vulnerability

CISA Adds On-Premises SharePoint RCE CVE-2026-45659 to Its Exploited Vulnerabilities List, Three-Day Patch Deadline

Source: The Hacker News

CISA confirmed on 1 July that CVE-2026-45659, a remote code execution flaw in on-premises Microsoft SharePoint, is being actively exploited and added it to the Known Exploited Vulnerabilities catalog with a remediation deadline of 4 July, giving US federal agencies barely three days to patch. Microsoft fixed the underlying issue in its May 2026 updates, but two months of exposure window is exactly the kind of gap attackers wait for, and it appears someone has been using it.

What the flaw actually requires

CVE-2026-45659 carries a CVSS score of 8.8 and stems from deserialization of untrusted data in SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. It is not a pre-authentication bug: an attacker needs valid credentials with Site Member permissions to trigger it. That distinction matters less than it sounds. Site Member is a low, commonly granted permission level, and credential phishing, token theft, and password spraying routinely hand attackers exactly that level of access before they ever touch the vulnerability that turns it into full remote code execution.

Why on-premises SharePoint keeps coming back

This is on-premises SharePoint, not SharePoint Online, and that distinction is the whole story. Organisations still running SharePoint Server locally, rather than in Microsoft 365, tend to be the ones with the longest patch cycles: government bodies, law firms, manufacturers, and any enterprise with SharePoint deeply wired into internal workflows that make an upgrade project politically expensive. On-premises SharePoint deserialization bugs have produced some of the most damaging exploitation waves against European public sector and enterprise targets in recent memory, precisely because the software sits on infrastructure nobody wants to touch and rarely gets prioritised until it is already too late.

CISA’s deadline is American, the exposure is not

CISA’s four-day remediation window binds US federal agencies. It does not bind a ministry in Berlin, a manufacturer in Lyon, or a law firm in Milan, but the underlying fact does not change based on jurisdiction: active exploitation has been confirmed, and every day a vulnerable SharePoint farm stays unpatched is a day it is a viable target. Treating a KEV listing as a signal rather than a compliance obligation is the difference between patching this week and explaining a breach next month.

What we recommend

  • Identify every SharePoint Server instance in your estate, including shadow deployments that predate current IT governance and are not tracked in a central asset inventory
  • Apply the May 2026 security updates immediately if you have not already, prioritising farms reachable from the internet or from contractor and partner networks
  • Audit Site Member and higher permission grants, since the exploit path runs directly through accounts that already hold that access
  • Review SharePoint and identity provider logs for anomalous authenticated activity since May, given the two-month gap between patch and confirmed exploitation
  • Use this as the forcing function to evaluate whether on-premises SharePoint still earns its keep against a phased migration to SharePoint Online with modern conditional access controls

If your organisation is still running on-premises SharePoint and needs help closing this exposure window, auditing farm-wide permissions, or planning a realistic migration path off legacy infrastructure, contact Excello Digital. We help European IT and security teams turn KEV alerts into patched systems, not postponed tickets.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!