A SharePoint server flaw is under active attack. If you run it on your own kit, patch now.
Cyber Security

A SharePoint server flaw is under active attack. If you run it on your own kit, patch now.

US authorities added CVE-2026-45659 to their known-exploited list on 1 July and gave agencies three days to fix it. It affects SharePoint you run yourself, not SharePoint Online.

2 July 20263 min read

A flaw in Microsoft's SharePoint Server, tracked as CVE-2026-45659 and rated 8.8 out of 10 for severity, is being actively exploited. On 1 July the US Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities catalogue and gave federal agencies until 4 July to patch, a short deadline it only sets when a flaw is being used in real attacks.

What the flaw is

It is a remote code execution bug, which means an attacker can run their own commands on the server. It needs the attacker to be logged in with at least basic 'site member' access rather than being wide open to anyone on the internet, but that is a low bar once someone has any foothold at all. Microsoft released a fix back in late May and at the time judged the flaw less likely to be exploited. That call has not held up, which is why it now sits on the must-patch list.

On-premises only, not SharePoint Online

This is the distinction that matters. The flaw affects SharePoint Server that a business runs on its own hardware, specifically SharePoint Server Subscription Edition, 2019 and 2016. If your SharePoint is the one that comes with Microsoft 365, hosted by Microsoft in the cloud, this particular problem is not yours to fix. Plenty of businesses have quietly moved to that cloud version and no longer run a server at all. The ones still exposed are those with SharePoint on a box in the office or a data centre.

Why active exploitation of SharePoint is taken seriously

There is recent history here. In 2025 a set of on-premises SharePoint flaws known as ToolShell were used by a group Microsoft tracks as Storm-2603 to plant Warlock ransomware on the networks behind them. That is why a fresh, actively-exploited SharePoint server flaw gets attention rather than a shrug. The kit sits deep inside a network and holds a lot of a business's documents.

What to do

If you run SharePoint on your own server, apply the latest updates now. If you are not sure whether you do, that is the question to put to whoever looks after your IT: do we run SharePoint on-premises, and if so is it patched for CVE-2026-45659? A clear yes or no tells you where you stand. If the answer is that nobody is quite certain, that gap is worth closing this week.

What this means for your business

Servers that face the outside world, or that hold the documents your business runs on, are exactly what attackers go after, and patching them quickly is most of the defence. We keep the systems we look after up to date as fixes land, and can run a vulnerability scan or a security audit so you are not relying on hope. If you are not certain whether you still run SharePoint on your own kit, or who is patching it, that is worth pinning down now.

#WEARECOBALT

Ready when you are.

Tell us what's slowing your business down. We'll tell you exactly how we'd fix it — plainly, with no obligation.