- CVE: CVE-2026-45659
- CVSS: 8.8 (High · CVSSv3)
- Product: Microsoft SharePoint Enterprise Server 2016
- Affected: 16.0.0
- Impact: Microsoft SharePoint Remote Code Execution Vulnerability
- Status: Exploited in the wild
- Patched in: 16.0.5552.1002, 16.0.10417.20128, 16.0.19725.20280
- EPSS: 2.8% (30-day)
- Action: Update to 16.0.5552.1002, 16.0.10417.20128, 16.0.19725.20280 now
TL;DR
CISA added a Microsoft SharePoint vulnerability to its Known Exploited Vulnerabilities catalog on 1 July 2026. Tracked as CVE-2026-45659, the flaw allows remote code execution. CISA confirmed active exploitation in the wild. Federal agencies must patch by 4 July 2026.
Why It Matters
SharePoint servers hold sensitive corporate data and often face the internet. So attackers prize them as entry points. This SharePoint vulnerability now joins a long list of exploited SharePoint flaws in the KEV catalog. Attackers can run code and then move deeper into a network. SharePoint has drawn nation-state crews and ransomware operators before. Therefore, every on-premises operator should treat it as urgent.
How the Attack Works
The flaw stems from unsafe deserialization of untrusted data. A SharePoint endpoint accepts crafted serialized input and rebuilds it into objects. It does so without validating the object types. As a result, the attacker runs arbitrary code in the server context. From there, they can steal documents or pivot across the domain.
An attacker still needs to authenticate first. However, the bar is low. Any account with Site Member permissions works. Microsoft rates the attack complexity as low, and no user interaction is required.
Affected Versions
The bug affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The same update covers both 2016 editions. SharePoint in Microsoft 365 is not listed.
Patch and Mitigation
Microsoft fixed the flaw in its May 2026 security updates. So install those updates without delay. Until you patch, restrict SharePoint access to trusted users. Also audit Site Member permissions and cut internet exposure where possible. Watch the SharePoint worker process for unexpected child processes too. These steps shrink the attack surface fast.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.