Top/Articles/SharePoint Server Takeover Flaw CVE-2026-45659 Now Exploited (CISA KEV): Patch On-Prem Now
sharepoint-cve-cover-en

SharePoint Server Takeover Flaw CVE-2026-45659 Now Exploited (CISA KEV): Patch On-Prem Now

Microsoft's on-premises SharePoint Server has a flaw (CVE-2026-45659) that lets even a low-privilege user run code on the server. CISA confirms exploitation. Editions 2016/2019/Subscription are affected; SharePoint Online is not. The fix is out — patch unpatched servers now.

NewsPublished July 2, 2026 Updated today
Table of contents
Key takeaways

Microsoft's on-premises SharePoint Server has a flaw (CVE-2026-45659) that lets even a low-privilege user run code on the server. CISA confirms exploitation. Editions 2016/2019/Subscription are affected; SharePoint Online is not. The fix is out — patch unpatched servers now.

A vulnerability that lets an attacker run arbitrary code on the server has been found in Microsoft's "SharePoint Server," widely used for corporate intranet portals and document sharing. It is tracked as CVE-2026-45659, with a severity of 8.8 out of 10 ("High"). Microsoft released a fix in May 2026, but attacks abusing this flaw have since been observed, and the U.S. agency CISA has added it to its "Known Exploited Vulnerabilities (KEV)" catalog.

Affected is the on-premises SharePoint Server that you run yourself (2016 / 2019 / Subscription Edition). The cloud version, SharePoint Online (Microsoft 365), is not affected. The fix is already distributed, so any server that has not applied it needs to update now. Once exploitation has begun, "later" is not an option.

ItemDetails
Tracking IDCVE-2026-45659
Affected softwareSharePoint Server
(on-premises)
Not affectedSharePoint Online
(Microsoft 365)
Affected versions2016 / 2019 /
Subscription Edition
SeverityCVSS 8.8 / 10 ("High")
TypeUnsafe deserialization
(CWE-502)
Login neededYes (a low-privilege
user account is enough)
ExploitationYes (listed in CISA KEV)
FixReleased in May 2026 monthly update

Who would exploit this, and why

This is not something just anyone can do from the outside. The people who can exploit it are those who can log in to the target SharePoint in some way with a low-privilege user account, or an attacker who has stolen such an account. The severity breakdown notes that "site member" level (an ordinary user who can at least view and post) is enough; administrator rights are not required. An ordinary employee account, a former employee's leftover account, or credentials stolen via phishing can all serve as the entry point.

What such a person can do is send crafted data to SharePoint and run their own program on the server, taking the whole server over. A user who should only be able to read and write documents can instead seize control of the server SharePoint runs on.

If the SharePoint server is taken over, the damage does not end with documents. Confidential internal files and personal data, and the connection details to other systems SharePoint integrates with, can be stolen and used as a foothold to move deep into the internal network. In fact, on-premises SharePoint has become a major entry point for ransomware attacks in recent years, so a takeover translates directly into organization-wide harm. That is why the update below should be your top priority.

What SharePoint Server is, and how it differs from the cloud version

SharePoint is a Microsoft product used as the foundation for internal document sharing, portal sites, and business apps. It is used for storing and sharing files and building approval flows and team sites, and it is adopted by many companies and government bodies.

What matters here is that SharePoint comes in two main kinds: "SharePoint Server (on-premises)," installed and run on your own servers, and "SharePoint Online" (included in Microsoft 365), used on Microsoft's cloud. CVE-2026-45659 affects only the former, the on-premises version; the cloud SharePoint Online is not affected. Whether you run your own SharePoint server, or use the cloud via Microsoft 365, determines whether you need to act. First, confirm which one your organization uses.

With the on-premises version, administrators must apply updates themselves, and because it sits at the center of business operations and is hard to take offline, patching tends to be put off. This "tendency to fall behind on updates" is a big reason it keeps being targeted by attackers.

What actually happens: inside the flaw

The cause is that SharePoint "restores" received data defenselessly. In programming, to store and transmit data it is common to pack it into a fixed form and then turn it back into its original form (deserialization). If that restore step trusts the incoming contents too much, an attacker can use crafted data to run arbitrary code. Here, this "restoration of untrusted data" (CWE-502) was abused.

While logged in, an attacker sends crafted data to SharePoint and, at the moment the server restores it, runs a program of their choosing. Because execution happens with the privileges of the SharePoint service, the attacker's reach extends to the documents and data that server handles, and to the credentials of integrated systems. According to Microsoft's security advisory, only "site member"-level low privileges are required.

One caution: some reporting describes this as "unauthenticated, CVSS 9.8." That is inaccurate. The NVD (U.S. NIST vulnerability database) rates it at CVSS 8.8, and exploitation requires a low-privilege login. That said, the larger the organization, the more people hold some SharePoint account, and phishing one is enough — so "it needs a login, therefore it's safe" simply does not hold.

What is the exploitation situation?

What raises this flaw's danger a notch is the fact that real-world attacks are already underway. Microsoft released the fix in the May 2026 monthly update (Patch Tuesday), and at first no exploitation had been confirmed. Since then, attacks abusing this flaw have been observed, and the U.S. agency CISA added it to its "Known Exploited Vulnerabilities (KEV)" catalog — a list that only includes items confirmed to be under active attack.

"The fix has been out since May — why now?" you might think. But in reality, many on-premises SharePoint servers remain unpatched even after a fix is released, and that is exactly what attackers target. Exploitation ramping up well after a fix is published is a pattern that has repeated with SharePoint. You can follow the exploitation landscape in Japanese in our CISA KEV Dashboard (Japanese edition).

Is my organization affected? A quick response guide

First, confirm whether you run a SharePoint server yourself (the on-premises version). If you only use SharePoint Online via Microsoft 365, you do not need to act on this flaw. If you run the on-premises version, the following editions are affected.

ProductFixed build (this or later)Action
SharePoint 201616.0.5552.1002Update now
SharePoint 201916.0.10417.20128Update now
Subscription Edition16.0.19725.20280Update now
SharePoint Online—Not affected (no action)

The fix is included in the May 2026 monthly update, and Microsoft distributes update packages for each edition (such as KB5002863, KB5002868, and KB5002870). Check which KB applies to which edition on Microsoft's official page.

Background: why on-prem SharePoint keeps being targeted

This CVE-2026-45659 is not a one-off accident. On-premises SharePoint is a product where takeovers via "restoration of untrusted data" (CWE-502) have been found repeatedly and actually used in large-scale attacks. In 2025, a chain of SharePoint flaws known as "ToolShell" was mass-exploited worldwide, and many organizations' servers were taken over. This case belongs to the same lineage of "restore-step holes."

Why does it recur? Two structural reasons lie behind it. One is technical: the "data restoration" that SharePoint uses heavily internally is prone to becoming a weak point against crafted input. The other is operational: the on-premises version requires each organization to apply updates by hand, and patches tend to lag because of the desire to avoid downtime. From an attacker's view, SharePoint — placed at the core of an organization, holding valuable documents, and slow to update — is a high-return target.

The practical conclusion is simple. Treat on-premises SharePoint as an "asset that could be targeted at any time," and build a process to apply monthly updates without delay. And in the longer term, migrating to the cloud version (SharePoint Online), where Microsoft handles updates, is worth considering as an option.

What to do now

The top priority is to apply the May 2026 (or later) monthly update — the relevant KB — to on-premises SharePoint. Since exploitation is already confirmed, there is no room to defer it for testing. Apply it to all affected servers as soon as possible.

Beyond updating, it is safe to confirm the following. First, check whether anti-malware integration (AMSI) is enabled on the SharePoint server. Microsoft recommends enabling AMSI as a defense against attacks that abuse the restore step. Next, check whether you have already been breached. Look for unfamiliar files (especially web page components such as .aspx), administrator accounts or processes you do not recognize, and suspicious traffic; if anything looks off, rotate credentials and conduct a deeper investigation. For a flaw already under exploitation, the important thing is not "we updated, so we are safe" but going as far as "have we already been broken into?"

Summary

CVE-2026-45659 is a vulnerability in on-premises SharePoint Server that lets a low-privilege user account take over the server. The severity is CVSS 8.8; it is not unauthenticated, but real-world attacks have been confirmed and it is listed in CISA's KEV. Affected editions are 2016 / 2019 / Subscription Edition; the cloud SharePoint Online is not affected. The fix has been available since May 2026.

On-premises SharePoint is a product where takeovers via the restore step have recurred and slow patching has been exploited again and again. The state of "the fix is out but not applied" is the biggest risk. First, confirm whether your organization uses the on-premises version, and if so, apply the relevant monthly update right away. And do not forget to check whether you have already been breached.

References

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django