CISA Warns of Active Exploitation of Microsoft SharePoint Remote Code Execution Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors are actively exploiting CVE-2026-45659, a high severity remote code execution vulnerability affecting on premises Microsoft SharePoint Server deployments. The vulnerability, caused by the deserialization of untrusted data, allows an authenticated attacker with only Site Member permissions to execute arbitrary code remotely against vulnerable SharePoint servers. Following confirmation of active exploitation, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog and directed federal agencies to remediate affected systems within an accelerated timeframe.


SharePoint remains one of the most widely deployed enterprise collaboration platforms and is frequently integrated with document repositories, Active Directory, and Microsoft 365 environments. Successful exploitation can provide attackers with a foothold for credential theft, lateral movement, persistence, and access to sensitive organizational data. Security researchers noted that although Microsoft released patches for the vulnerability in May, many organizations may not have recognized its significance until CISA confirmed active exploitation.


The incident underscores the continued targeting of internet-facing enterprise applications by threat actors seeking initial access into corporate networks. It also highlights the importance of rapid vulnerability management, particularly for collaboration platforms that provide broad access to organizational information. Organizations should ensure all affected SharePoint servers are fully patched, review SharePoint permissions for unnecessary privileged access, and monitor for indicators of compromise associated with exploitation attempts.

Share

Related Posts

getty-images-aTWKwJllPOA-unsplash
chris-yang-1tnS_BVy9Jk-unsplash
getty-images-YuyQoigjXGc-unsplash

Copyright © All Right Reserved

Privacy Policy