The US Cybersecurity and Infrastructure Safety Company (CISA) warned on Wednesday that attackers have begun exploiting a high-severity distant code execution vulnerability in Microsoft SharePoint.
This safety flaw, tracked as CVE-2026-45659, is because of a deserialization of untrusted information vulnerability that enables low-privileged attackers to execute arbitrary code on an unpatched SharePoint server through a low-complexity assault that doesn’t require consumer interplay.
“An authenticated attacker can set off this vulnerability with out requiring administrator or different elevated privileges. A network-based assault might permit an authenticated attacker with least website member privileges (PR:L) to remotely execute code on SharePoint Server,” Microsoft explains.
“The assault vector is community (AV:N) as a result of this vulnerability might be exploited remotely and even from the Web. The assault complexity is low (AC:L) as a result of the attacker doesn’t require vital prior data of the system and may obtain reproducible success with payloads in opposition to susceptible parts.”
On Could 21, Microsoft launched safety updates for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Version that deal with the vulnerability, stating that the CVE was inadvertently omitted from the Could 2026 safety replace.
Web safety monitoring group Shadowserver at the moment tracks greater than 10,000 SharePoint servers on-line. Nonetheless, there isn’t any data on what number of of those gadgets are already shielded from the continuing CVE-2026-45659 assault.

Microsoft addressed one other SharePoint vulnerability exploited in a zero-day assault with Patch Tuesday, April 2026.
CISA on Wednesday added the vulnerability to its Catalog of Identified and Exploited Vulnerabilities (KEV) and ordered Federal Civilian Govt Department (FCEB) companies to safe their servers by Saturday, as required by Binding Operational Directive (BOD) 26-04.
BOD 26-04, issued final month, requires U.S. federal companies to prioritize patching primarily based on whether or not a safety flaw is included in CISA’s KEV catalog, whether or not the exploit might be automated for large-scale assaults, whether or not the asset is uncovered on-line, and whether or not a profitable exploit would give the attacker partial or full management of the goal system.
“These kind of vulnerabilities are a frequent assault vector by malicious cyber attackers and pose vital dangers to federal enterprises,” the Cybersecurity Company warned yesterday. “Observe the BOD 26-04 steerage relevant to your cloud service or discontinue use of the product if mitigations aren’t accessible. Stakeholders are answerable for assessing every asset’s Web publicity and making certain compliance with BOD 26-04 patching tips.”
Since 2021, CISA has tagged 11 Microsoft SharePoint vulnerabilities which can be being exploited within the wild, seven of which have additionally been exploited in ransomware assaults.
Safety groups doc 54% of profitable assaults and difficulty a warning on solely 14%. The remaining strikes invisibly by means of the atmosphere.
Picus’ whitepaper reveals take a look at your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
