CISA Warns of Active Exploitation in High-Severity Microsoft SharePoint RCE Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) has issued a critical alert regarding the active exploitation of a high-severity remote code execution (**RCE**) vulnerability in **Microsoft SharePoint**. Tracked as **CVE-2026-45659**, this flaw allows low-privileged attackers to execute arbitrary code with minimal complexity and no user interaction, posing a significant risk to organizations utilizing vulnerable SharePoint servers.
On Wednesday, **CISA** confirmed that threat actors are actively exploiting **CVE-2026-45659**, a deserialization of untrusted data weakness affecting **Microsoft SharePoint**.
This vulnerability enables authenticated attackers with as little as Site Member permissions to remotely execute code on unpatched SharePoint servers. **Microsoft** clarified that the attack vector is network-based (**AV:N**) and the complexity is low (**AC:L**), meaning attackers do not require extensive prior knowledge and can achieve repeatable success.
**Microsoft** had initially released security updates for **SharePoint Enterprise Server 2016**, **SharePoint Server 2019**, and **SharePoint Server Subscription Edition** on May 21, addressing this vulnerability. The company noted that **CVE-2026-45659** was inadvertently omitted from the May 2026 Security Updates.
Internet security watchdog group **Shadowserver** reports tracking over 10,000 **SharePoint** servers exposed online. The current number of these devices secured against ongoing attacks leveraging **CVE-2026-45659** remains unknown.

This isn't the first time **SharePoint** has faced active exploitation. In April 2026, **Microsoft** addressed another **SharePoint** vulnerability that was actively exploited as a zero-day.
**CISA** has added **CVE-2026-45659** to its **Known Exploited Vulnerabilities Catalog (KEV)**, mandating Federal Civilian Executive Branch (**FCEB**) agencies to patch their servers by Saturday. This directive falls under Binding Operational Directive (**BOD**) 26-04, which prioritizes patching based on several factors, including KEV inclusion, potential for large-scale automated attacks, public exposure, and the level of control granted upon successful exploitation.
"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," **CISA** warned. The agency further advised stakeholders to evaluate each asset's internet exposure and ensure adherence to **BOD 26-04** patching guidelines, or discontinue product use if mitigations are unavailable.
Since 2021, **CISA** has identified 11 **Microsoft SharePoint** vulnerabilities that have been exploited in the wild, with seven of these also being leveraged in ransomware attacks.

*SharePoint servers exposed online (**Shadowserver**)*