Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

MICROSOFT'S SHAREPOINT BUG: A NEW THREAT TO ENTERPRISE SECURITY


Microsoft's prediction that an unpatched SharePoint bug would be less likely to be exploited by attackers has proven to be incorrect, as CISA has added a remote code execution flaw in Microsoft SharePoint Server to its KEV list. The bug allows attackers to execute arbitrary code remotely on vulnerable servers with minimal privileges.

  • The US Cybersecurity and Infrastructure Security Agency (CISA) has added a remote code execution flaw in Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog after confirming that it is actively being exploited.
  • The bug, identified as CVE-2026-45659, affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 due to an insecure deserialization issue.
  • Attackers need only a valid SharePoint account with minimal permissions (Site Member) to execute code on vulnerable servers, making it easy to exploit once they gain access.
  • The vulnerability carries a CVSS score of 8.8 and is considered high-severity due to its ability to allow arbitrary code execution remotely without admin privileges.



  • Microsoft recently predicted that an unpatched SharePoint bug would be less likely to be exploited by attackers, but the reality is now far from optimistic. The US Cybersecurity and Infrastructure Security Agency (CISA) has added a remote code execution flaw in Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog after confirming that crimes are actively exploiting it in the wild.

    The bug, identified as CVE-2026-45659, stems from an insecure deserialization issue that affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft had released patches for these versions in May, but the agency has now confirmed that attackers need little more than a valid SharePoint account to execute code on vulnerable on-prem servers.

    According to Microsoft's advisory, anyone with valid credentials and nothing more than Site Member permissions can execute arbitrary code remotely on a vulnerable server. This vulnerability does not require admin or other elevated privileges, making it straightforward to exploit once an attacker has a foothold. In a network-based attack, an authenticated attacker with a minimum of Site Member permissions could execute code remotely on the SharePoint Server.

    The vulnerability carries a CVSS score of 8.8, indicating that it is considered high-severity. Microsoft's exploitability assessment also revealed that real-world exploitation was initially predicted to be "Less Likely," but history has shown that such forecasts often become obsolete once patches give attackers a roadmap to reverse engineer.

    CISA has directed federal civilian agencies to follow Binding Operational Directive 26-04 by applying Microsoft's fixes no later than July 4, or discontinue use of affected systems if mitigations aren't available. The agency warned that this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

    The fact that attackers can exploit this vulnerability with minimal privileges highlights the importance of patching and maintaining up-to-date software. For organizations still exposing unpatched SharePoint servers to the internet, CISA's KEV listing serves as a reminder that the race between patching and exploitation is usually won by whoever starts first.

    Moreover, this incident underscores the need for effective cybersecurity measures and regular monitoring of vulnerabilities in enterprise systems. As more organizations transition to cloud-based solutions, it is crucial that they prioritize security and implement robust protocols to prevent such attacks.

    In conclusion, the addition of SharePoint RCE to CISA's KEV list highlights the ongoing threat landscape and the importance of timely patching and cybersecurity measures. Organizations must take immediate action to address this vulnerability and ensure the security of their systems.

    Microsoft's prediction that an unpatched SharePoint bug would be less likely to be exploited by attackers has proven to be incorrect, as CISA has added a remote code execution flaw in Microsoft SharePoint Server to its KEV list. The bug allows attackers to execute arbitrary code remotely on vulnerable servers with minimal privileges.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/MICROSOFTS-SHAREPOINT-BUG-A-NEW-THREAT-TO-ENTERPRISE-SECURITY-ehn.shtml

  • https://www.theregister.com/security/2026/07/02/microsoft-said-exploitation-was-less-likely-but-cisa-just-added-sharepoint-rce-to-kev-list/5265886

  • https://www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities

  • https://nvd.nist.gov/vuln/detail/CVE-2026-45659

  • https://www.cvedetails.com/cve/CVE-2026-45659/


  • Published: Thu Jul 2 10:07:41 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us