CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog after detecting active exploitation of a critical remote code execution flaw in Microsoft SharePoint Server. The vulnerability carries a CVSS score of 8.8 and stems from unsafe deserialization of untrusted data, allowing attackers to execute arbitrary code on vulnerable systems.

The vulnerability affects SharePoint Server installations where proper input validation fails during data deserialization. This creates a direct pathway for unauthenticated or low-privileged attackers to gain remote code execution on affected machines, bypassing authentication mechanisms in certain deployment scenarios.

CISA's addition of CVE-2026-45659 to the KEV catalog signals that threat actors are actively weaponizing this flaw in real-world attacks. Organizations running SharePoint Server installations face immediate risk of compromise, data exfiltration, lateral movement, and persistent access establishment within their networks.

SharePoint Server remains widely deployed across enterprise environments for content management, collaboration, and document storage. Compromise of a SharePoint instance can provide attackers with access to sensitive business data, intellectual property, and internal communications.

Microsoft has released patches addressing this vulnerability. Organizations should treat patching as urgent given the active exploitation evidence. Network administrators should prioritize identifying all SharePoint Server deployments within their infrastructure, verify patch status, and apply updates without delay.

For organizations unable to patch immediately, network segmentation and access control restrictions provide interim mitigation. Restricting SharePoint Server exposure to trusted networks only and implementing strict firewall policies can reduce attack surface. Additionally, monitoring for suspicious deserialization activity and unexpected code execution on SharePoint systems offers detection capability.

The addition to CISA KEV typically triggers mandatory patching requirements for federal agencies and critical infrastructure operators under federal compliance frameworks. Private sector organizations should treat this catalog addition as notice that exploitation is widespread and