Two administrators, one patch, very different July

Picture two firms running the same on-premises SharePoint server. One applied Microsoft's May 2026 security update in the week it shipped. The other filed it as routine and moved on, reassured by Microsoft's own note that exploitation was less likely. On 1 July the US Cybersecurity and Infrastructure Security Agency added that same flaw, CVE-2026-45659, to its Known Exploited Vulnerabilities catalogue, citing evidence of active attacks in the wild. The first administrator was already safe. The second now has an urgent problem with a public deadline attached.

CISA gave US federal agencies until 4 July to patch. That date is not your obligation, but the listing is your warning: a vulnerability someone downgraded in May is being used against real targets in July.

The flaw in plain terms

CVE-2026-45659 is a remote-code-execution vulnerability caused by unsafe deserialisation of untrusted data, with a severity score of 8.8 out of 10. In practice that means an attacker can make the server run code of their choosing. It affects the on-premises products - SharePoint Server Subscription Edition, SharePoint Server 2019 and SharePoint Enterprise Server 2016 - rather than the cloud-hosted SharePoint in Microsoft 365.

The detail that raises the stakes is the low bar to entry. Exploiting the flaw does not require administrator rights; a single account with ordinary Site Member permissions is enough. Most organisations hand that level of access to contractors, temporary staff and dozens of routine users. One of those credentials, phished or reused, is the whole key.

The gap between unlikely and exploited

When Microsoft shipped the fix in May, it tagged the flaw as exploitation less likely - a reasonable prediction that turned out wrong within weeks. That gap is the reason vendor severity ratings should set your patch order, not your patch decision. A rating predicts attacker behaviour; a CISA exploited-vulnerabilities listing records it. When the two disagree, the record wins, and it just did.

The pattern is not new. On-premises collaboration servers, exposed to the internet and rich in internal data, are among the most reliably attacked software in enterprise estates. A downgraded severity note is a forecast, and forecasts are exactly the thing attackers are paid to break.

Why NIS2 changes the stakes, and what to do now

For European operators the consequence is regulatory as well as technical. Under the NIS2 directive, organisations in scope must manage known vulnerabilities and can face scrutiny and penalties for failing to do so. A flaw sitting on a public exploited-vulnerabilities list, with a patch available since May, is close to the clearest possible evidence that a fix existed and was not applied. After an incident, that is the first document an investigator will hold up.

The action is narrow and immediate. Confirm whether you run any of the three affected on-premises SharePoint versions. If you do, apply the May 2026 update now and check for signs of compromise rather than assuming the update alone closes the door. Then treat the CISA catalogue, not the vendor severity label, as your trigger for the next one of these - because there is always a next one.