CISA has confirmed attackers are actively exploiting a high-severity remote code execution flaw in on-premises Microsoft SharePoint, tracked as CVE-2026-45659, as reported by BleepingComputer. Microsoft patched it back on 21 May — the fix was accidentally left out of the May security update notes, so plenty of servers never got it. On 1 July, CISA added the flaw to its Known Exploited Vulnerabilities catalogue and gave US federal agencies until the weekend to fix it. That deadline doesn’t apply here, but the signal does.
Who’s affected: SharePoint Server 2016, 2019 and Subscription Edition. SharePoint Online — the Microsoft 365 version — is not affected. The nasty part is how little access an attacker needs. Any logged-in user with basic Site Member permissions can run code on the server, so one phished staff password hands over the whole box. Shadowserver counts more than 10,000 SharePoint servers still exposed to the internet. And here’s the pattern we keep seeing in Australian environments: the business moved email and files to Microsoft 365 years ago, but an old SharePoint server is still humming away in the corner “for the archive” — domain-joined, forgotten and unpatched. That is exactly the machine this flaw was made for.
What to do: apply the May 2026 SharePoint security updates today. If you can’t patch immediately, take the server off the internet. And if nobody has touched it in a year, ask the better question — do you still need it at all?
Not sure whether you’re running one? Our cybersecurity team can check in minutes.
Related Guide
Cybersecurity for Sydney SMBs
Explore our complete guide to protecting your business from cyber threats.
