Skip to content
Breachfolio
VULNERABILITIES NEWS

SharePoint RCE lands on CISA's must-patch list — the bulletin came weeks after the fix

8 min read Breachfolio · Editorial desk

Microsoft shipped the fix for CVE-2026-45659 in May's cumulative update, but didn't publish the security bulletin until May 21 — weeks after the patch was already live. CISA has since confirmed active exploitation and added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies until July 4 to patch.

The vulnerability carries a CVSS score of 8.8 and allows remote code execution via unsafe deserialization of untrusted data — the kind of bug that, on an internet-facing SharePoint server, can go from "interesting finding" to "full compromise" in one request.

Why the disclosure gap matters

The lag between "patch available" and "bulletin published" is the part worth paying attention to. Most patch-management programs are built around vendor bulletins as the trigger for prioritization — if the bulletin isn't out yet, the cumulative update it's bundled in often gets treated as routine, non-urgent maintenance. That's exactly the gap attackers who reverse-engineer patches are built to exploit.

Are you affected

  • Running SharePoint Server on-premises (this is not an issue for SharePoint Online / Microsoft 365).
  • Applied Patch Tuesday updates on your normal cadence, without specifically confirming the May cumulative update landed.
  • Expose SharePoint, directly or through a reverse proxy, to users outside a tightly controlled network.

What to do now

Don't assume routine patch cadence already covers this one. Confirm explicitly that your SharePoint Server farm is on the May cumulative update, not just "up to date" per your patch dashboard. If you can't confirm patched status quickly, treat internet-facing SharePoint as exposed and consider restricting access at the network layer until you can.

Source

This is our own summary and analysis. The original reporting is at The Hacker News →