
CISA flags exploited SharePoint Server flaw for urgent July 4 remediation
CISA added CVE-2026-45659, a SharePoint Server code execution flaw, to its exploited vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency has put a Microsoft SharePoint Server flaw on its Known Exploited Vulnerabilities catalog, turning a May security update into an urgent remediation item for organizations that still run on-premises SharePoint.
The entry is for CVE-2026-45659, a deserialization of untrusted data vulnerability in Microsoft Office SharePoint. CISA says the bug allows an authorized attacker to execute code over a network and lists July 4, 2026, as the required remediation date for covered federal civilian agencies. The agency's KEV catalog is reserved for vulnerabilities with evidence of active exploitation, so the listing is a stronger signal than a routine patch advisory.
Why SharePoint admins should care
National Vulnerability Database records attribute the CVE to Microsoft and show a CVSS 3.1 base score of 8.8, with network attack vector, low attack complexity, low privileges required, and no user interaction required. The affected software configurations listed by NVD include SharePoint Server 2019, SharePoint Server 2016 Enterprise, and SharePoint Server Subscription Edition versions below the fixed Subscription Edition build identified in the record.
The practical risk is that a compromised or low-privilege SharePoint account can become a path to server-side code execution. That matters because SharePoint servers often sit close to sensitive files, identity systems, intranet workflows, and other business applications. Even when internet exposure is limited, attackers who already obtained credentials may be able to use a collaboration server as a foothold for broader movement.
What changed this week
The underlying CVE was originally published by NVD in May, but the July update changes defender priorities because CISA now cites known exploitation and sets a short deadline under its risk-based remediation process. CISA's required action tells agencies to apply vendor mitigations, follow BOD 26-04 guidance for cloud services where applicable, complete required forensics triage steps, or discontinue use if mitigations are unavailable.
- Confirm all supported SharePoint Server deployments received the relevant Microsoft security update.
- Audit low-privilege and guest users with site member access, especially on externally reachable farms.
- Review logs for unusual authenticated requests, web shell activity, new scheduled tasks, or unexpected process launches from SharePoint services.
- Prioritize exposed or business-critical SharePoint farms before lower-risk internal instances.
Microsoft's Security Update Guide remains the vendor advisory referenced by both CISA and NVD. Organizations outside the U.S. federal mandate are not legally bound by the July 4 deadline, but KEV additions are widely used as a practical patching priority list because they point to vulnerabilities already seen in real-world attacks.
Sources
Cover photo by panumas nikhomkhai on Pexels, used under the Pexels License.
CyberOGZ Team






Comments (0)
Leave a Comment