Thursday, July 2, 2026

US cyber agency warns over forgotten SharePoint flaw

A recently-identified but accidentally unpublicised remote code execution (RCE) flaw in Microsoft SharePoint, tracked as CVE-2026-45659, has been added to the US Cybersecurity and Infrastructure Security Agency’s (Cisa’s) Known Exploited Vulnerabilities (Kev) catalogue after evidence of active exploitation in the wild was identified.

Microsoft is understood to have made a patch for CVE-2026-45649 available in the May 2026 Patch Tuesday update but according to the supplier, details of the CVE were “inadvertently omitted” from the update bulletin.

Organisations that have fully installed the May updates should not need to take any further action, but Ben Ronallo, cyber security operations director at Black Duck, said that the omission of the flaw compounded the risk to end-user organisations.

“Any organisation that relies solely on the published bulletin, rather than independently scanning and verifying patch levels, may have deprioritised this fix without realising it was already available. It’s a reminder that patch bulletins are a starting point, not a substitute for verifying what’s actually running,” he said. 

“Any organisation that identifies an on-prem SharePoint installation with a patch version older than May 21st, 2026, should immediately engage patching and incident response procedures to resolve the risk, identify any indicators of compromise, and contain any potential exposure.”

CVE-2026-45659 arises from an untrusted data deserialisation issue, which Cisa described as a “frequent attack vector” for malicious actors. Microsoft said it can be successfully exploited by an authenticated attacker with minimal permissions or privileges, and warned that it is comparatively trivial to exploit. It impacts SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.

The addition of a flaw to the Cisa Kev catalogue obliges federal civilian executive branch (FCEB) government bodies and agencies to patch it urgently – in this case by Saturday 4 July – but the agency stressed that all exposed organisations should prioritise remediation. It did not provide any details of any known cyber attacks invoking the vulnerability.

Further highlighting the risk to exposed organisations, Robert Coles, senior manager of threat intelligence security at Black Duck, said: “The thing most coverage misses is that SharePoint stopped being a file share years ago. Rather, it is where many organisations keep resources that truly matter: contracts, HR files, sensitive legal documents, and so on.

“As such, an attacker who manages to gain access isn’t just grabbing a few files. They’re in a position most insiders don’t even have. And that’s before you get to the lateral movement problem. SharePoint is trusted. It talks to other systems. Getting a foothold there is often more valuable than the documents themselves.”

Coles highlighted in particular the lack of privileged access needed to exploit CVE-2026-45659, which widens the potential pool of attackers to anybody with a valid account.

Kev updates

In the past seven days, Cisa has added three other vulnerabilities to its update list. These are:

  • CVE-2026-12569, an RCE flaw in PTC Windchill and FlexPLM;
  • CVE-2026-20230, a server-side request forgery (SSRF) flaw in Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition;
  • And CVE-2026-48558, an security feature bypass (SFB) flaw in SimpleHelp that may in some cases also allow an attacker to defeat multifactor authentication (MFA) measures.

Related Articles

Latest Articles