Lead Analysis
Security & Risk5 min

CISA Flags SharePoint CVE-2026-45659 as Exploited in Attacks, Agencies Have Until July 4 to Patch

Sala de operações de segurança à noite com analista solitário iluminado por monitores âmbar mostrando alerta da vulnerabilidade CVE-2026-45659 no SharePoint e mapa de sites afetados.

Remote code execution vulnerability patched by Microsoft on May 26 lingered for months without a fix on exposed servers. CISA added it to the KEV catalog on July 1, and The Hacker News detailed the attack on July 2.

What CISA Added to the KEV Catalog


On July 1, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included the CVE-2026-45659 vulnerability, a remote code execution flaw in Microsoft SharePoint Server, in the Known Exploited Vulnerabilities (KEV) catalog. This addition sets July 4 as the deadline for civil federal agencies in the Executive Branch to apply the patch, marking one of the shortest windows CISA has imposed this year, signaling the seriousness the agency ascribes to the ongoing attack. Detailed coverage appeared in The Hacker News on July 2.


With a CVSS score of 8.8, the vulnerability arises from the deserialization of untrusted data (CWE-502) and affects the three supported on-premises editions of SharePoint: Subscription Edition, Server 2019, and Enterprise Server 2016. Microsoft released the patch on May 26, but the 36-day gap between the fix and the entry into the KEV indicates that those with exposed vulnerabilities had enough time to become targets.


Why Site Member is the Critical Point


The technical detail that concerns those responsible for SharePoint on-premises the most is the minimum privilege requirement. The attacker only needs a valid credential at the Site Member level, the lowest in the platform's collaborative hierarchy. In typical corporate environments, almost every employee has this access by default, which turns any leaked credential from password dumps or obtained via phishing into a direct ramp for code execution on the server.


CISA did not disclose details of the observed attacks, which is standard practice for the agency when there is a risk of duplicating the technique. Microsoft, approached by The Hacker News, did not comment on the specific vector. What Threat Intelligence analysts from vendors like Rapid7 and Tenable observe is the classic signature of groups scanning post-patch: they wait for disclosure, reproduce the exploitation, and hunt targets that did not apply the May monthly bulletin.


Two Geographies with the Same Structural Problem


The alert comes from CISA, but SharePoint on-premises exists in jurisdictions where the U.S. agency has no reach. In Switzerland, Swiss Security Insights published a parallel remediation guide for private banks and the local public sector, noting that the Subscription Edition version still serves as the foundational document for numerous cantons. In Germany, the BSI observes the same pattern in state governments and the defense sector, where SharePoint 2019 remains installed due to data sovereignty issues. In both cases, the Site Member as the baseline privilege means that tax auditors, prosecutors, and external vendors become vectors for escalation.


The point of convergence between the markets: in multinational environments, Microsoft's May patch is distributed centrally but depends on local maintenance windows. A global bank with SharePoint replicated in eight countries may apply the bulletin at headquarters in three days but could take weeks to reach remote units. This gap is exactly what CISA aimed to close when it reduced the KEV deadline to three business days.


What We Still Don't Know


Microsoft has not publicly confirmed the number of compromised organizations or detailed the post-deserialization vector. Neither has CISA. In these cases, journalistic rigor demands heightened attention to vocabulary. It is not possible to state that "ransomware groups are exploiting" the flaw without confirmation from the victim or the regulatory body. What we know by the time of this publication is: exploitation is active, the federal deadline is July 4, and the patch has been available since May 26. Teams that have not yet applied the May bulletin have less than 72 hours before the official U.S. reference becomes a standard for internal auditing in banks, insurers, and public agencies.


The real cost of delay is not a fine from CISA. It is the next line of scrutiny that internal auditors will enforce when the KEV list turns into a mandatory checklist under ISO 27001 and SOC 2 policies. Starting this Wednesday, every SharePoint server without the May patch will become an automatic finding in any compliance review, and this applies from New York to São Paulo, from Zurich to Singapore. For cloud operators still maintaining on-premises SharePoint sites due to regulatory requirements, the situation is even worse: the legacy infrastructure exception becomes the risk vector that burdens the rest of the environment.

Lead Analysis