CISA orders federal agencies to patch SharePoint flaw by Saturday as attacks begin
A newly exploited Microsoft SharePoint bug lands in CISA's Known Exploited Vulnerabilities Catalog, triggering a three-day patching clock under Binding Operational Directive 26-04.

Key points
- The U.S. Cybersecurity and Infrastructure Security Agency confirmed on Wednesday that attackers are exploiting CVE-2026-45659, a high-severity flaw in Microsoft SharePoint Server.
- Federal civilian agencies must patch by Saturday under Binding Operational Directive 26-04, issued last month.
- Microsoft released fixes on May 21 for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
- The internet-scanning group Shadowserver counts more than 10,000 SharePoint servers exposed to the open internet.
- Since 2021, CISA has flagged 11 SharePoint bugs as exploited in the wild, with seven used in ransomware attacks.
The U.S. cybersecurity agency CISA told federal agencies on Wednesday to fix a serious flaw in Microsoft SharePoint within days. Attackers are already using it to break into servers.
The bug is tracked as CVE-2026-45659. SharePoint is the software many organisations use to store internal documents and run team websites. The flaw lets an attacker who already has a basic user account run their own code on the server — effectively taking it over.
Microsoft's advisory is blunt about how low the bar is. "Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges," the company writes. A person with the minimum "Site Member" permission is enough.
The attack works over the network. It can be launched from the internet, and Microsoft rates the complexity as low, meaning it works reliably without special tricks.
What is CISA actually requiring, and by when?
CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities Catalog on Wednesday, giving Federal Civilian Executive Branch agencies until Saturday to patch. That deadline is set by Binding Operational Directive 26-04, a rule issued last month that tightens how quickly agencies must respond to actively exploited bugs.
BOD 26-04 is worth reading closely. It tells agencies to prioritise a vulnerability based on four tests: whether it sits in the KEV catalog, whether attacks against it can be automated at scale, whether the affected system is exposed to the internet, and whether a successful attack hands over partial or full control of the device.
All four tests apply here. The directive also tells agencies to "follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable." That last clause — pull the plug if you cannot patch — is the sharpest enforcement lever CISA has short of a formal emergency directive.
The directive binds federal civilian agencies. It does not bind private companies. But CISA's KEV listings are widely treated as a de facto patching standard by insurers, auditors and regulators, so the practical reach is broader than the legal one.
How did we get here?
Microsoft released the fix on May 21 for three products: SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. The company acknowledged that the CVE had been "accidentally omitted" from the May 2026 Security Updates bundle, a bookkeeping slip that likely delayed some patching cycles.
This is the second SharePoint bug this year to reach the KEV catalog. Microsoft patched a separate SharePoint zero-day — a flaw exploited before a fix existed — in its April 2026 Patch Tuesday release, as first reported by BleepingComputer.
Shadowserver, a nonprofit that scans the public internet, is tracking more than 10,000 SharePoint servers reachable online. How many have installed the May update is unknown.
What should organisations do now?
Install the May 21 update. If a SharePoint server is exposed to the internet and cannot be patched immediately, take it off the public web until it can be.
SharePoint has a long history of being weaponised. CISA has now tagged 11 SharePoint vulnerabilities as actively exploited since 2021, with seven feeding ransomware campaigns — the kind of attack that locks a company's files until it pays. Treat this one as the same category of risk, not a routine update.



