"Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges," Microsoft explains — a plain description that, according to U.S. federal authorities, now describes code execution attacks being carried out in the wild.
CVE-2026-45659: a deserialization flaw that permits remote code execution
The flaw tracked as CVE-2026-45659 stems from "deserialization of untrusted data" and allows low-privilege actors to execute arbitrary code on vulnerable Microsoft SharePoint servers, according to vendor and federal advisories. Microsoft characterizes the attack vector as Network (AV:N) and the attack complexity as Low (AC:L), noting that exploitation can be carried out remotely and "does not require significant prior knowledge of the system."
Microsoft further explains that an attacker need only be authenticated with a minimum of Site Member permissions (PR:L) to trigger remote code execution, and that the vulnerability can be exploited in "low-complexity attacks that don't require user interaction." CISA warned on Wednesday that attackers have begun exploiting the weakness.
Microsoft patches and patching history: May 21 update and prior fixes
Microsoft released security updates for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition on May 21 to address CVE-2026-45659. The company said the CVE had been "accidentally omitted from the May 2026 Security Updates," a point Microsoft disclosed alongside the fixes.
The vendor had also addressed another SharePoint vulnerability with the April 2026 Patch Tuesday release; that earlier defect was likewise noted as having been exploited in zero-day attacks. Together, the two months' activity underscores repeated targeting of SharePoint by attackers, per public advisories.
CISA adds CVE-2026-45659 to the Known Exploited Vulnerabilities catalog and invokes BOD 26-04
On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) Catalog. CISA ordered Federal Civilian Executive Branch (FCEB) agencies to secure affected servers by Saturday under Binding Operational Directive (BOD) 26-04, the agency said.
CISA emphasized that "this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise" and instructed agencies to "Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable." BOD 26-04 requires agencies to prioritize patching based on KEV inclusion, exploit automation potential, internet exposure, and the degree of control an attacker gains on successful exploitation.
Exposure on the public internet: Shadowserver's tracking and unknown remediation rate
Internet security group Shadowserver is tracking more than 10,000 SharePoint servers exposed online, the advisory noted. The bulletin does not report how many of those servers have been patched against CVE-2026-45659 or otherwise mitigated, leaving the scale of remaining exposure unclear.
That uncertainty matters because CISA described the attack vector as remotely exploitable from the internet and said exploitation does not require user interaction — characteristics that increase the potential for automated, large-scale abuse if widely unpatched installations remain reachable.
What this means for technologists, FCEB agencies, and enterprises
- Technologists and security teams: The technical description in vendor and federal notices — deserialization of untrusted data, low attack complexity, network-exploitable RCE — signals a high-priority patch and verification task for teams responsible for SharePoint estate hygiene and external-facing assets.
- Federal Civilian Executive Branch agencies: CISA's KEV listing and BOD 26-04 deadline direct FCEB agencies to remediate by Saturday; agencies must follow BOD 26-04 guidance for cloud services or discontinue affected products where mitigations are unavailable.
- Enterprises and procurement leaders: The advisory thread — a May 21 patch addressing an omitted CVE, an April zero-day, and CISA noting many previously abused SharePoint flaws (11 since 2021, seven tied to ransomware) — highlights a recurring risk profile for SharePoint deployments that procurement and lifecycle decision-makers should weigh when evaluating support and upgrade paths.
CISA's public notice, Microsoft patch guidance, and Shadowserver's exposure count together create a narrow, time‑sensitive window: patches exist, federal authorities have mandated rapid remediation for civilian agencies, and more than 10,000 internet‑facing SharePoint instances remain on watch. The advisory leaves one concrete, unsettled question in its wake: of those 10,000-plus exposed servers, how many have already been secured against active CVE-2026-45659 exploitation?




