On-prem SharePoint Server is under active attack — patch now
If your business still runs SharePoint on your own servers — not the cloud version bundled with Microsoft 365 — there’s a flaw worth closing this week. CISA has added CVE-2026-45659, a remote code execution bug in SharePoint Server, to its Known Exploited Vulnerabilities catalogue after confirming it’s being exploited in the wild, as reported by The Hacker News. Microsoft shipped the patch back in May — but a patch only helps if you’ve actually applied it.
The bug (CVSS 8.8) affects SharePoint Server Subscription Edition, SharePoint Server 2019 and Enterprise Server 2016. SharePoint Online isn’t affected, because Microsoft patches that itself. Any authenticated user with basic “site member” access can exploit it to run code on the server, so an attacker doesn’t need an admin account to do real damage. Here’s the part worth sitting up for: Microsoft’s own advisory rated this one “Exploitation Less Likely.” That reassuring label is exactly why a lot of teams would have let it drift down the patch queue — and now it’s on CISA’s actively-exploited list. Vendor severity ratings are a starting point, not the final word.
If you run on-prem SharePoint — still common in Australian firms that keep documents in-house for data-sovereignty or client-confidentiality reasons — confirm the May 2026 security update is installed today, and check your server logs for unfamiliar admin accounts or odd activity. If you’re not certain every instance is covered, get your IT provider to verify patch status across all of them, not just the obvious one.
Not sure what’s exposed? Our team can review your patch status and on-prem footprint as part of managed cybersecurity.
Related Guide
Cybersecurity for Sydney SMBs
Explore our complete guide to protecting your business from cyber threats.
