Technology

US cyber company warns over forgotten SharePoint flaw


A recently-identified however by chance unpublicised distant code execution (RCE) flaw in Microsoft SharePoint, tracked as CVE-2026-45659, has been added to the US Cybersecurity and Infrastructure Safety Company’s (Cisa’s) Identified Exploited Vulnerabilities (Kev) catalogue after proof of energetic exploitation within the wild was recognized.

Microsoft is known to have made a patch for CVE-2026-45649 out there within the Might 2026 Patch Tuesday replace however in keeping with the provider, particulars of the CVE had been “inadvertently omitted” from the replace bulletin.

Organisations which have totally put in the Might updates shouldn’t must take any additional motion, however Ben Ronallo, cyber safety operations director at Black Duck, mentioned that the omission of the flaw compounded the danger to end-user organisations.

“Any organisation that depends solely on the printed bulletin, slightly than independently scanning and verifying patch ranges, could have deprioritised this repair with out realising it was already out there. It is a reminder that patch bulletins are a place to begin, not an alternative to verifying what’s truly operating,” he mentioned. 

“Any organisation that identifies an on-prem SharePoint set up with a patch model older than Might twenty first, 2026, ought to instantly have interaction patching and incident response procedures to resolve the danger, determine any indicators of compromise, and include any potential publicity.”

CVE-2026-45659 arises from an untrusted knowledge deserialisation subject, which Cisa described as a “frequent assault vector” for malicious actors. Microsoft mentioned it may be efficiently exploited by an authenticated attacker with minimal permissions or privileges, and warned that it’s comparatively trivial to take advantage of. It impacts SharePoint Server Subscription Version, SharePoint Server 2019, and SharePoint Enterprise Server 2016.

The addition of a flaw to the Cisa Kev catalogue obliges federal civilian government department (FCEB) authorities our bodies and companies to patch it urgently – on this case by Saturday 4 July – however the company harassed that every one uncovered organisations ought to prioritise remediation. It didn’t present any particulars of any identified cyber assaults invoking the vulnerability.

Additional highlighting the danger to uncovered organisations, Robert Coles, senior supervisor of menace intelligence safety at Black Duck, mentioned: “The factor most protection misses is that SharePoint stopped being a file share years in the past. Quite, it’s the place many organisations hold assets that actually matter: contracts, HR information, delicate authorized paperwork, and so forth.

“As such, an attacker who manages to realize entry is not simply grabbing a number of information. They’re ready most insiders do not even have. And that is earlier than you get to the lateral motion downside. SharePoint is trusted. It talks to different programs. Getting a foothold there’s typically extra helpful than the paperwork themselves.”

Coles highlighted specifically the shortage of privileged entry wanted to take advantage of CVE-2026-45659, which widens the potential pool of attackers to anyone with a legitimate account.

Kev updates

Up to now seven days, Cisa has added three different vulnerabilities to its replace listing. These are:

  • CVE-2026-12569, an RCE flaw in PTC Windchill and FlexPLM;
  • CVE-2026-20230, a server-side request forgery (SSRF) flaw in Cisco Unified Communications Supervisor and Unified Communications Supervisor Session Administration Version;
  • And CVE-2026-48558, an safety function bypass (SFB) flaw in SimpleHelp that will in some circumstances additionally enable an attacker to defeat multifactor authentication (MFA) measures.