CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog after confirming active attacks against Microsoft SharePoint Server. The high-severity flaw is a deserialization of untrusted data issue that lets an authenticated attacker with only Site Member permissions execute arbitrary code on vulnerable, internet-exposed servers, with no user interaction required and low attack complexity. Microsoft said the bug is easy to exploit with repeatable success and released fixes in late May after the CVE was initially omitted from its May 2026 security updates.
The vulnerability affects SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Server 2016, and SharePoint Enterprise Server 2016. CISA ordered Federal Civilian Executive Branch agencies to remediate the issue within days under BOD 26-04, while internet scanning data cited by Shadowserver shows more than 10,000 SharePoint servers remain exposed online. Separately, Microsoft disclosed a ransomware investigation involving Storm-2603 and another threat actor operating in the same compromised environment, where the attackers used persistence, remote access tools, privilege escalation, and defense evasion after initial access was likely obtained through CVE-2025-11371 in Gladinet Triofox.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Following the KEV addition, CISA directed Federal Civilian Executive Branch agencies to remediate CVE-2026-45659 by July 4, 2026, under Binding Operational Directive 26-04. Multiple sources describe the deadline as within three days or by Saturday.
CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog after citing evidence of active exploitation against Microsoft SharePoint Server. The agency also warned that authenticated attackers with Site Member permissions can exploit the deserialization flaw for remote code execution.
The Canadian Centre for Cyber Security issued Alert AL26-015 warning that CVE-2026-45659 in on-premises Microsoft SharePoint Server was being actively exploited. The alert urged organizations to identify internet-exposed SharePoint servers, apply Microsoft's latest updates, upgrade to fixed versions, and noted upcoming July 14, 2026 end-of-life dates for SharePoint Enterprise Server 2016 and SharePoint Server 2019.
CISA added CVE-2026-45659, a Microsoft SharePoint Server deserialization vulnerability, to its Known Exploited Vulnerabilities catalog and stated it had been exploited in the wild. The KEV entry directed organizations to apply vendor mitigations, follow BOD 26-04 and forensics guidance, or discontinue use if mitigations were unavailable.
Microsoft released security updates for CVE-2026-45659 affecting SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. One source says the updates were released on May 21 after the CVE was accidentally omitted from the May 2026 Security Updates, while others describe the patch as an out-of-band release in late May 2026.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
10 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcesecurityaffairs.com
Open sourcecyber.gc.ca
Open sourcesecurityweek.com
Open sourcethecyberthrone.in
Open sourcebleepingcomputer.com
Open sourcecisa.gov
Open sourcecisa.gov
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.