There is a particular sting to this one: Microsoft told everybody a SharePoint bug was probably not worth worrying about — and then attackers started using it anyway. This week CISA made it official, and if you run SharePoint in your own office, the clock is now very short.
⚡ The 60-Second Version
>
- What: A serious flaw in on-premises Microsoft SharePoint Server (CVE-2026-45659, severity 8.8 of 10) lets an attacker who already has a basic account run their own code on your server. CISA confirmed it is being exploited in the wild.
- Fix: Install Microsoft's May 2026 SharePoint security update on every SharePoint server you host. It's already out — you just have to apply it.
- By when: CISA set the federal deadline for July 4, 2026. Treat that as your deadline too. Now, not next month.
What actually happened
On July 1, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog — the short list of flaws confirmed to be under active attack. The vulnerability sits in Microsoft SharePoint Server, the document-and-intranet platform many companies run on their own hardware. In plain terms, it's a "deserialization" bug: SharePoint can be tricked into treating attacker-supplied data as trusted instructions and executing them. The result is remote code execution — an outsider running commands on the server that holds your shared files.
Two details make this one worth your attention.
First, the bar to exploit it is low. This is not a flaw that requires an administrator account. Microsoft's own write-up says an attacker needs only Site Member permissions — the everyday access level of a regular employee. So a single phished password, a stale contractor login, or a compromised staff account is enough of a foothold to turn into full control of the server.
Second, and this is the part that bothers me: Microsoft originally rated this flaw "Exploitation Less Likely." Security teams use those labels to decide what to patch first, and a "less likely" tag is exactly the kind of thing a busy IT person defers to next month. To make matters worse, the fix shipped back in May 2026, but the CVE was reportedly left off Microsoft's published May update list — so a lot of admins never saw it come across their desk. The patch existed. The warning didn't reach the people who needed it. That's how a "low priority" bug ends up on CISA's actively-exploited list six weeks later.
Who this affects — and who can relax
Here's the distinction that matters most for a small business, so read this part twice.
This flaw is in SharePoint Server — the version you install and run on a machine in your own office or data center. The affected products are SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
It is not about SharePoint Online, the version built into Microsoft 365 that lives in Microsoft's cloud. If your team gets to SharePoint through your Microsoft 365 login and you don't run a SharePoint server yourself, Microsoft patches that platform for you — you're not the one exposed here.
So the honest gut-check is simple: Do we run our own SharePoint server? Most small businesses I work with have moved to Microsoft 365 and can breathe easy. But plenty of firms — especially those with older on-premises systems, an internal intranet, or a document portal a previous IT provider set up years ago — are still hosting SharePoint themselves and may not even remember it's there. Those are the servers attackers are counting on.
Why "we have a login for that" isn't protection
The reason this one is dangerous is that it defeats a comforting assumption: only our people can log into that system, so it's safe. When a flaw only needs a low-privilege member account, every login your organization has ever issued becomes a potential doorway — including the ones you forgot to turn off. Former employees, seasonal help, the vendor you used for one project in 2023. Each of those is now a way in if the account still works and the server is unpatched.
That's why the fix here isn't only "install the update." It's also "know what you're running and who can reach it." Attackers don't need to break down the front door when there's a working key under the mat.
What this means for your business
If you host SharePoint yourself, this is a this-week task, not a someday task:
- Confirm whether you run on-premises SharePoint at all. If you're not sure, that uncertainty is itself the finding — someone needs to check today.
- Apply the May 2026 SharePoint security update to every SharePoint server you operate. Don't assume it's already installed just because other patches are current; this one may have slipped through.
- Review who has accounts on that server. Disable anyone who's left, any dormant vendor logins, and any account nobody can explain.
- Turn on multi-factor authentication for every account that can reach the server, so a stolen password alone isn't enough to walk in. If you want the plain-English case for MFA, I wrote one here.
- Watch for the aftermath — unexpected new admin accounts, odd scheduled tasks, or files appearing where they shouldn't. Exploited servers rarely announce themselves.
And a broader lesson worth keeping: a vendor's "low risk" label is a starting opinion, not a guarantee. The safest posture is to patch on a steady schedule and let the priority labels tell you what goes first, not what you get to skip.
How BVTech helps
If BVTech manages your systems, you can let this one go — we track the CISA exploited-vulnerabilities list daily, we already know which of our clients run on-premises SharePoint, and those servers are being verified and patched as part of your managed service. No fire drill on your end.
If you're not sure who's watching your servers — or whether you even still have a SharePoint box humming away in a closet — that's exactly the blind spot we clear up for Texas businesses in El Campo, Houston, San Antonio, Sugar Land, and across Comal County. Book a quick call and we'll figure out what you're running and what actually needs attention. No pressure, no jargon.
— Jordan Polasek · Founder, BVTech LLC