If you rely on SharePoint Server for internal collaboration, there’s a real-world risk you need to know about today.
What happened
Security researchers and officials are highlighting CVE-2026-45659 as a high-severity remote code execution vulnerability in SharePoint Server. The issue involves deserialization of untrusted data and can be triggered by an authenticated user with Site Member permissions, potentially allowing code to run on the server. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation observed in the wild. Microsoft released patches in May 2026 for affected products, including SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. For the latest details, see the official advisory pages from CISA and Microsoft.
CISA KEV page on CVE-2026-45659 • Microsoft MSRC advisory for CVE-2026-45659
Why it matters
This isn’t just another CVE in a crowded advisories feed. SharePoint Server often hosts internal documents, calendars, and workflows used by many teams. If a threat actor can exploit this vulnerability on on-premises SharePoint, they could gain control over the affected server, access sensitive data, or pivot to other systems. Small businesses and IT teams with limited downtime budgets are especially at risk if patch windows slip or if on-prem systems are exposed to the internet.
Practical steps you can take
- Check your environment: Identify if you run SharePoint Server Subscription Edition, SharePoint Server 2019, or SharePoint Enterprise Server 2016 in any data center or office location.
- Patch promptly: Apply the May 2026 Microsoft patches for the affected SharePoint versions. See the Microsoft advisory for exact build numbers and update paths. MSRC advisory
- Limit exposure: If patching immediately isn’t possible, temporarily reduce exposure by removing external access to SharePoint, or restricting it to trusted internal networks and VPNs. Consider reviewing and tightening site permissions so only necessary accounts have access.
- Enforce strong access controls: Enable MFA for accounts with SharePoint access and review privilege assignments for Site Members.
- Improve monitoring: Turn on auditing and capture relevant logs. Look for unusual sign-in patterns or post-exploitation activity in SharePoint and adjacent systems.
- Scan and remediate: Run vulnerability scans to identify other potentially vulnerable instances and plan remediation windows for cleanup and patching.
- Prepare for recovery: Verify backups and test restore procedures in case a breach occurs, so you can recover quickly without paying ransom or losing data.
- Stay informed: Regularly check official advisories from CISA and Microsoft for updates on patches, mitigations, and guidance. CISA KEV page • MSRC advisory
Details may change as vendors issue updates and threat actors adapt. If you’re unsure about your patch status or need help planning a remediation, consider reaching out to a security-focused IT partner or a trusted consultant.
Final thought
Keeping on-premises SharePoint up to date with the latest patches is the strongest defense. Start by confirming your patch status today, then methodically apply mitigations and monitor your environment. If you want, I can walk you through a practical patch-and-hardening checklist tailored to your setup.