Published Thursday, July 02, 2026 at 07:25 AM PT

πŸ”΄ BREAKING β€” CISA KEV ALERT: Microsoft SharePoint RCE Under Active Exploitation

BLUF: CISA has added CVE-2026-45659, a remote code execution vulnerability in Microsoft SharePoint, to its Known Exploited Vulnerabilities (KEV) catalog following confirmed active exploitation by threat actors. All organizations running affected SharePoint versions should patch immediately.


DETAILS

  • CVE-2026-45659 is a remote code execution (RCE) vulnerability affecting Microsoft SharePoint; it has been described as “recently patched” at time of CISA’s warning
  • CISA confirmed active exploitation by threat actors and added the CVE to its KEV catalog β€” indicating real-world exploitation is verified, not theoretical
  • Multiple outlets (SecurityWeek, BleepingComputer, The Hacker News) are independently reporting active exploitation, corroborating CISA’s assessment
  • NOTE β€” UNCERTAINTY: Specific technical details of the exploit mechanism, the identity of threat actors involved, and the full scope of affected SharePoint versions have not been confirmed in available source material and should not be assumed
  • NOTE β€” UNCERTAINTY: CVE-2026-45659 does not match standard current CVE year conventions; treat the CVE identifier as reported but verify against official CISA KEV and Microsoft advisories directly

IMPACT

  • Who is affected: Any organization running a vulnerable, unpatched version of Microsoft SharePoint β€” including on-premises deployments; SharePoint Online status is unconfirmed
  • Scope: SharePoint is widely deployed across enterprise, government, and critical infrastructure environments; exposure potential is broad
  • Risk: Successful RCE exploitation could allow attackers to execute arbitrary code, move laterally, exfiltrate data, or deploy ransomware with no confirmed attribution at this time
  • Federal agencies are subject to mandatory remediation timelines under CISA’s KEV directive (BOD 22-01)

  1. Patch immediately β€” Apply Microsoft’s available patch for CVE-2026-45659; confirm patch status across all SharePoint instances
  2. Verify scope β€” Audit all SharePoint deployments (on-premises and hybrid) for affected versions
  3. Check for indicators of compromise β€” Review SharePoint server logs for anomalous activity, particularly unusual process execution or outbound connections
  4. Isolate if unpatched β€” If patching cannot be completed immediately, consider restricting external access to SharePoint instances until remediation is complete
  5. Federal agencies β€” Comply with BOD 22-01 remediation deadlines as specified in the CISA KEV catalog entry

SOURCES

  • SecurityWeek β€” CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability
  • BleepingComputer β€” CISA: Microsoft SharePoint RCE flaw now actively exploited
  • The Hacker News β€” SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation
  • CISA Known Exploited Vulnerabilities Catalog β€” verify directly at cisa.gov/known-exploited-vulnerabilities-catalog
  • Microsoft Security Response Center β€” cross-reference for patch availability and affected version list

⚠️ Verify CVE identifier and affected version scope against official Microsoft and CISA advisories before briefing leadership or initiating enterprise-wide response.