CISA Adds SharePoint CVE-2026-45659 to KEV After Active Exploitation
CISA added CVE-2026-45659 in Microsoft SharePoint to its KEV catalog after active exploitation, and Microsoft’s May 2026 fixes cover SharePoint 2016, 2019, and Subscription Edition.
Published
Jul 02, 2026Duration
4 min readRisk Level
High SeverityIntel Tags
Why it matters
CISA’s KEV addition is the signal defenders should pay attention to: CVE-2026-45659 is now treated as an actively exploited SharePoint RCE, not a theoretical bug. Microsoft’s advisory says the flaw can let an authenticated attacker with low privileges execute code over the network, so exposure on internet-facing or broadly reachable SharePoint servers should be treated as urgent.
What happened
On July 1, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog. Microsoft’s MSRC guidance identifies the issue as a SharePoint remote code execution vulnerability caused by deserialization of untrusted data and says it was released in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The Hacker News reported the KEV addition on July 2 and echoed the same vendor and government guidance.
Technical details
The Microsoft record assigns CVE-2026-45659 a CVSS score of 8.8 and an attack vector of network with low privileges required and no user interaction. CISA’s notice cites evidence of active exploitation, while Microsoft says the vulnerability affects authenticated users and that the corresponding fixes were published in May 2026. The practical takeaway is straightforward: this is an authenticated RCE in a widely deployed collaboration platform, with a public remediation path already available.
Defender actions
- Prioritize patching SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition using the May 2026 updates referenced by Microsoft.
- Focus first on externally reachable and high-value SharePoint instances.
- Review authentication and admin activity around SharePoint for anything unusual, especially unexpected code-execution or configuration changes.
- If May 2026 updates are already installed, Microsoft says no further action is needed, but defenders should still confirm build numbers and exposure.