CISA issued a warning Wednesday that threat actors have begun actively exploiting a high-severity remote code execution (RCE) vulnerability in Microsoft SharePoint, designated CVE-2026-45659. The flaw was patched by Microsoft in May, but unpatched systems remain at risk.
The vulnerability carries a high severity rating, and CISA has added it to its Known Exploited Vulnerabilities catalog. The precise scope of affected systems is not yet publicly known, but active exploitation indicates widespread scanning or attacks.
The RCE flaw allows authenticated attackers to execute arbitrary code on affected SharePoint servers. Technical details on the attack vector and indicators of compromise have not been fully disclosed by CISA or Microsoft, but the agency urges immediate action.
Organizations should apply the May security updates from Microsoft to block exploitation. CISA has not reported any workarounds besides patching, underscoring the urgency for IT teams to prioritize deployment of the fix.
Attribution for the ongoing attacks remains unclear at this time. The inclusion of this vulnerability in CISA's catalog signals that it poses a significant threat to federal agencies and critical infrastructure, aligning with a broader pattern of adversaries targeting recently patched flaws.