CISA adds SharePoint RCE CVE-2026-45659 to KEV after Microsoft’s “Less Likely” call
Federal agencies now face July 4 deadlines: patch SharePoint on-prem Server editions or stop using vulnerable systems.

CISA added CVE-2026-45659, a remote code execution flaw in on-premises Microsoft SharePoint Server, to its Known Exploited Vulnerabilities list after confirming active exploitation. The development forces decision-makers to treat May patches as already behind schedule, with federal civilian agencies directed to comply by July 4 or discontinue use.
CISA just moved CVE-2026-45659 into its Known Exploited Vulnerabilities catalog, and it is the kind of “prediction versus reality” moment CISOs hate. Microsoft had rated real-world exploitation of the patched SharePoint bug as “Less Likely” when the fixes landed. CISA’s addition signals the opposite: the agency confirmed crimes are now actively exploiting the vulnerability in the wild.
The flaw is a remote code execution (RCE) issue in on-premises Microsoft SharePoint Server caused by an insecure deserialization problem. It impacts SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft patched it in May, and CISA’s KEV listing raises the urgency from “work it into the next sprint” to “assume attackers already know the roadmap.”
Here is the part that matters for operational planning: this isn’t a “burn an admin password and pray” exploit chain. Microsoft’s advisory says that exploitation requires no elevated privileges. In Microsoft’s words, “Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.” It also says that in a network-based attack, an authenticated attacker with a minimum of Site Member permissions (PR) can execute code remotely on the SharePoint Server.
So the attack surface is, in practice, narrower than “the internet gets owned.” But it is still disturbingly accessible. If an attacker has already obtained valid credentials, they can meet the permission threshold without first compromising the whole organization. The vulnerability can be launched remotely over the network with low attack complexity, making it straightforward once the attacker has a foothold. And unlike some of SharePoint’s more notorious bugs, this one does not require pre-authentication, meaning the victim system does not need to be hit “blind.”
CISA did not publicly name who is exploiting the flaw or how widespread the attacks are. But the agency’s guidance is explicit about what federal civilian agencies must do. CISA directed agencies to follow Binding Operational Directive 26-04 by applying Microsoft’s fixes no later than July 4. If mitigations are not available, agencies are told to discontinue use of affected systems.
That July 4 date is the real clock for leadership teams. It is not a “monitor and reassess” timeline. KEV listings are designed to compress decision-making by removing ambiguity. Once a vulnerability hits KEV, boards and executive incident committees tend to treat it like an operational risk with regulatory-grade urgency, because it becomes tied to mandated actions. In other words, CISA is turning a technical advisory into an accountability calendar.
Microsoft also provided a scoring signal: the vulnerability carries a CVSS score of 8.8. The more interesting number, though, is Microsoft’s exploitability assessment at the time of patching. When the patches were released, Redmond rated real-world exploitation as “Less Likely.” That prediction is not a promise, and it is also the kind of forecast that gets rewritten quickly once attackers reverse engineer the patch and turn it into working tooling.
For executives, this is the lesson hiding inside the headline. Your patch management plan should not be built around vendor confidence levels as if they were certainty. It should be built around attacker time-to-adoption, the minimum permissions an attacker needs, and what happens when systems are exposed or reachable. SharePoint is a high-value enterprise collaboration platform, and in real environments, on-prem deployments can persist alongside long-tail dependencies, integrations, and staggered maintenance windows.
The second-order implication: KEV escalation is likely to increase pressure across vendors and internal stakeholders. Security teams will get more direct questions from compliance, IT operations, and procurement, especially when the same SharePoint farm touches document workflows, business processes, and audit trails. And if your organization is subject to federal reporting or aligns with federal standards, the KEV listing can effectively become a governance trigger even if your systems are not formally “federal.”
Bottom line: CISA’s KEV addition for CVE-2026-45659 is a clear signal that the exploitation window opened sooner than Microsoft’s “Less Likely” label suggested. With low attack complexity, no pre-authentication requirement, and a minimum Site Member permission threshold, the risk is practical for anyone running vulnerable on-prem SharePoint Server editions. If you are still exposing unpatched SharePoint servers, this is not a future problem. It is a race, and the checkpoint is already here.
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Business

Comcast shares jump 25% as it plans to split NBCUniversal and Sky
The tax-free spin-off could reshape focus, funding, and competition across media and tech for years.

Bungie cuts most Destiny 2 staff as Sony says Marathon still matters
Herman Hulst confirms layoffs affecting most Destiny and some Marathon teams after Bungie admits Destiny fell short.

SK Hynix jumps 11% after seeking up to $29.4B in Nasdaq listing
The chip giant filed for a Nasdaq listing plan that could raise $29.4 billion, instantly reshaping investor expectations.
