Vulnerability Management, Patch/Configuration Management

CISA adds SharePoint flaw to known exploited vulnerabilities list

System hacking with info message. Background with a code on a blue background and a virus warning. Cyber security and cybercrime

The Cybersecurity and Infrastructure Security Agency on July 1 added a SharePoint remote code execution flaw to its Known Exploited Vulnerabilities (KEV) catalog.

Microsoft patched the high-severity CVSS 8.8 bug on May 21, and CISA warned that the flaw was actively exploited and federal agencies need to patch by July 4.

The flaw — CVE-2026-45659 — was described as a deserialization of untrusted data in Microsoft Office SharePoint that can let an authorized attacker execute code over a network.

Ben Ronallo, principal cybersecurity engineer at Black Duck said most security pros view on-prem SharePoint as a walled garden in which an organization’s data is safe and secure because it’s on-premises. However, Ronallo said this new CVE smashes through the metaphorical walls as exploitation only requires low-privileged access.

“This is likely a strategic vulnerability for any malicious actor that already has a foothold in an environment as SharePoint often houses business-critical data,” said Ronallo. “Even worse, the malicious actor can likely pivot from SharePoint to other Windows infrastructure to continue their activities.”

Ronallo added that the risk has been compounded by the fact that Microsoft omitted this CVE from its May Patch Tuesday bulletin. Any organization that relies solely on the published bulletin, rather than independently scanning and verifying patch levels, may have deprioritized this fix without realizing it was already available, said Ronallo.

“It's a reminder that patch bulletins are a starting point, not a substitute for verifying what's actually running,” said Ronallo.

Louis Eichenbaum, Federal CTO at ColorTokens, added that SharePoint has become far more than a document repository: it’s often an organization's institutional memory. Over time, Eichenbaum said users naturally upload engineering documentation, HR records, financial reports, legal contracts, security procedures, architecture diagrams, and other sensitive information into a single location because it’s convenient for collaboration.

“When an attacker gains authenticated access and the ability to execute code on a SharePoint server, they're not just compromising a file server, they're gaining access to a roadmap of how the organization operates,” said Eichenbaum. “That information can dramatically accelerate reconnaissance, privilege escalation, and subsequent attacks.”

Eichenbaum said this vulnerability should remind organizations that collaboration platforms have become high-value targets. Users tend to centralize information in SharePoint because it makes collaboration easier, but that convenience also concentrates risk.

“The best defense isn't just rapid patching it also includes applying least-privilege access, continuously reviewing permissions, classifying sensitive data, segmenting critical systems, and assuming that if a collaboration platform is compromised, an attacker will immediately begin searching for information that enables lateral movement,” said Eichenbaum. “Organizations should ask themselves: if SharePoint were compromised tomorrow, what sensitive information could an attacker use to reach our most critical assets?”

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds