defense · BleepingComputer
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that a high-severity Microsoft SharePoint remote code execution vulnerability (CVE-2026-45659) is now being actively exploited in the wild. The flaw stems from unsafe deserialization of untrusted data and allows authenticated attackers with low privileges and no elevated permissions to execute arbitrary code on unpatched SharePoint servers through low-complexity network-based attacks requiring no user interaction. Microsoft released patches on May 21, 2026, for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition after the CVE was accidentally omitted from the May 2026 Security Updates. Shadowserver is currently tracking over 10,000 SharePoint servers exposed online, though it is unclear how many have been patched.
Organizations operating SharePoint infrastructure—particularly defense contractors managing controlled unclassified information and healthcare providers subject to HIPAA—should treat this as a high-priority patching event. CISA has added CVE-2026-45659 to its Known Exploited Vulnerabilities Catalog and issued a binding directive requiring federal agencies to patch by a specific deadline. For regulated entities in SOC2 observation or NIST 800-171 compliance, SharePoint exploitation represents both a control failure and a reportable incident risk. An Omniware engagement can assess your current SharePoint inventory, patch status, and compensating controls to ensure alignment with your compliance obligations.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/cisa-microsoft-sharepoint-rce-flaw-now-actively-exploited/
Source: BleepingComputer
All briefings