CISA: Attackers Are Actively Exploiting a Dangerous Flaw in Microsoft SharePoint
A vulnerability in SharePoint — Microsoft's widely used workplace file-sharing and collaboration platform — lets criminals run malicious code on company servers. Patches have been available since late May. Many organisations haven't applied them.

Key points
- CVE-2026-45659, a high-severity flaw in Microsoft SharePoint Server, was added to CISA's Known Exploited Vulnerabilities catalogue on the same Wednesday CISA issued its warning.
- The US Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies three days to patch, under a standing directive called BOD 26-04.
- Microsoft rated the vulnerability 8.8 out of 10 on the CVSS scale — a standard industry scoring system where 10 is the most severe possible.
- SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Server 2016, and SharePoint Enterprise Server 2016 are all affected.
- Microsoft released a fix in late May 2026; any organisation that hasn't applied it is exposed right now.
Criminals are actively breaking into corporate SharePoint servers using a flaw Microsoft patched weeks ago. CISA confirmed active exploitation on Wednesday, adding CVE-2026-45659 to its Known Exploited Vulnerabilities catalogue — a public list of security gaps that hackers are demonstrably using in real attacks.
SharePoint is the platform millions of organisations use to share documents, run internal websites, and collaborate across teams. It sits at the heart of many corporate networks, which is exactly why attackers target it.
How hard is this to exploit?
Not hard at all, according to Microsoft. An attacker only needs a basic, low-level account on a targeted SharePoint site — the kind of access a regular employee would have. From there, they can trigger what Microsoft calls a "deserialization of untrusted data" flaw, meaning the server can be tricked into accepting and running malicious instructions it should have rejected.
Microsoft's own advisory notes the attack does not require "significant prior knowledge of the system" and that criminals can achieve "repeatable success" against vulnerable servers. In plain terms: this is not a complex, specialist attack. It is a reliable, repeatable one.
Once the flaw is triggered, the attacker can run any code they choose on the server. That could mean stealing documents, installing malware — malicious software designed to damage or control a system — or using the SharePoint server as a stepping stone deeper into the organisation's network.
CISA has not published details of the specific attacks it observed. No public reports of exploitation existed before the agency's warning, but the warning itself confirms that has now changed.
Microsoft issued a fix through an emergency, out-of-band update in late May — meaning it released the patch outside its usual monthly schedule because the issue was serious enough to warrant immediate action. The patch covers all four affected versions.
What affected organisations should do
If your organisation runs any version of SharePoint Server, ask your IT team whether the May 2026 patch has been applied. Federal agencies in the US must act within three days under CISA's directive. Every other organisation should treat this with the same urgency. Review which staff accounts hold SharePoint Site Member permissions or above, and remove access that isn't genuinely needed — limiting who can log in reduces the window an attacker has to exploit this flaw.



