CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability
CISA has added CVE-2026-45659, a high-severity deserialization vulnerability in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. The flaw allows authenticated attackers with minimal "Site Member" permissions to execute arbitrary code, carrying a CVSS score of 8.8 and requiring immediate patching. Affected versions include SharePoint Server Subscription Edition, 2019, 2016, and Enterprise Server 2016, with Microsoft releasing an out-of-
Analysis
TL;DR
- CISA has added CVE-2026-45659, a high-severity deserialization vulnerability in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation.
- The flaw allows authenticated attackers with minimal "Site Member" permissions to execute arbitrary code, carrying a CVSS score of 8.8 and requiring immediate patching.
- Affected versions include SharePoint Server Subscription Edition, 2019, 2016, and Enterprise Server 2016, with Microsoft releasing an out-of-band patch in late May.
- Federal agencies are mandated to patch within three days under BOD 26-04, while all organizations are urged to apply updates immediately given SharePoint's critical role in enterprise infrastructure.
Why It Matters
This incident highlights the persistent risk of deserialization flaws in widely used enterprise collaboration platforms, emphasizing that even low-privilege authenticated users can trigger severe remote code execution. For AI and IT practitioners, it underscores the necessity of rigorous access control reviews and rapid patch management cycles, especially when vulnerabilities are actively exploited in the wild before widespread awareness.
Technical Details
- Vulnerability Type: Deserialization of untrusted data, allowing authenticated attackers to execute arbitrary code on vulnerable SharePoint servers.
- CVSS Score: 8.8 (High Severity).
- Affected Systems: SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Server 2016, and SharePoint Enterprise Server 2016.
- Exploit Conditions: Requires authentication with a minimum of "Site Member" permissions; no elevated privileges needed. Microsoft notes the exploit is repeatable and does not require significant prior knowledge of the system.
- Mitigation: Microsoft released an out-of-band security update in late May; CISA mandates patching within three days for federal agencies.
Industry Insight
- Prioritize Low-Privilege Vectors: Attackers are increasingly targeting vulnerabilities that require only basic permissions, forcing organizations to audit and restrict "Site Member" level access more strictly.
- Accelerate Patch Cadence: The rapid addition to the KEV catalog and the short three-day mandate for federal agencies signal that reactive patching is insufficient; automated deployment pipelines for critical security updates are essential.
- Monitor Collaboration Platforms: As SharePoint serves as a backbone for document sharing and intranets, it remains a high-value target; continuous monitoring for anomalous activity in these environments is crucial for early detection of exploitation attempts.
Disclaimer: The above content is generated by AI and is for reference only.