// NEXUSVOID CYBER NEWS
<- ALL CYBER NEWS
Critical
SharePoint, CVE, KEV, Microsoft, RCE, exploitation
Microsoft SharePoint RCE Added to CISA KEV After Active Exploitation (CVE-2026-45659)
CISA added a high-severity SharePoint Server remote code execution flaw (CVE-2026-45659, CVSS 8.8) to its Known Exploited Vulnerabilities catalog after confirming active exploitation. If you run on-prem SharePoint, this is now a patch-today item.
What happened. CISA added CVE-2026-45659 — a remote code execution flaw in on-premises Microsoft SharePoint Server (CVSS 8.8) — to its Known Exploited Vulnerabilities (KEV) catalog after confirming it is being actively exploited in the wild. Federal agencies are bound to remediate on a deadline; everyone else should treat KEV inclusion as the same signal.
Who's affected. Organizations running self-hosted SharePoint Server. SharePoint Online (Microsoft 365) is not the target here — this is the on-prem estate, which skews toward larger enterprises, government, and regulated industries that kept collaboration data inside their own perimeter.
What to do now. Apply Microsoft's patch immediately. If you can't patch within hours, restrict access to the SharePoint management endpoints and monitor for anomalous process execution spawned by the SharePoint service account. Then check your logs backward — KEV listing means exploitation predates the patch, so assume the window has been open.
Our read. A KEV addition is not a warning about a future risk — it is confirmation the risk is already being used against real targets. In our own analysis of the 2025 KEV catalog, the median gap between a vulnerability's public disclosure and confirmed exploitation was 26 days, and 20% were exploited on or before disclosure day. A vulnerability scanner that runs quarterly would, on average, never test for this SharePoint flaw before an attacker reached it. This is exactly why point-in-time assessment fails against KEV-class bugs and why the coverage has to be continuous.
Reporting by The Hacker News; vulnerability status per the CISA KEV catalog. Both linked above.