Attackers are actively exploiting a remote code execution flaw in Microsoft SharePoint that the software giant patched in May, according to a warning from the Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday.
CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, signaling that threat actors have moved beyond proof-of-concept attacks to real-world exploitation against unpatched systems. The agency did not disclose the specific CVE identifier or technical details of the exploitation technique, but active exploitation combined with a high-severity rating indicates organisations using SharePoint face immediate risk.
Organizations running affected SharePoint versions must treat this update as urgent. Unpatched deployments are now actively targeted in the wild. Administrators should prioritize applying the May patch immediately, particularly for internet-facing SharePoint instances that attackers can reach directly.
The vulnerability allows authenticated attackers to execute arbitrary code with the privileges of the SharePoint application pool account. This grants adversaries the ability to read sensitive documents, modify data, establish persistence, and potentially pivot to other systems on the network. For government agencies and critical infrastructure operators, CISA mandates patching within two weeks of the advisory.
SharePoint remains a frequent target for exploitation because of its widespread use in enterprise environments and its access to sensitive business documents. Prior SharePoint RCE vulnerabilities have been weaponized by both financially motivated threat actors and state-sponsored groups.
Organizations that cannot immediately patch should implement network segmentation to restrict access to SharePoint servers, monitor for suspicious activity targeting these systems, and maintain offline backups of critical data. Web application firewalls may provide limited temporary protection, but patching remains the only reliable mitigation.
CISA encourages organisations to scan their networks for indicators of compromise and review access logs for signs of exploitation. The shift from theoretical to active exploitation narrows the window for defensive action.
