The US Cybersecurity and Infrastructure Security Agency (CISA) has added a Microsoft SharePoint Server vulnerability to its Known Exploited Vulnerabilities catalog, confirming that attackers are already using it in real world intrusions. The flaw, tracked as CVE-2026-45659, is a deserialization of untrusted data issue, a class of bug that can let an attacker run their own code on a server and, in CISA's words, gain total control of the asset after exploitation.
What's affected
The vulnerability sits in on premises Microsoft SharePoint Server, the widely deployed platform many organizations use to host internal document libraries, intranets, and team collaboration sites. Because SharePoint often holds sensitive corporate data and is frequently exposed to the internet, deserialization bugs in it are a recurring favorite for attackers looking to gain a foothold inside a network. CISA did not name the groups behind the exploitation or the scope of the campaign, but a KEV listing means the activity is confirmed, not theoretical.
Deserialization, briefly
Deserialization flaws occur when software rebuilds saved data back into live objects without properly checking it first. If an attacker can feed the server a malicious payload disguised as ordinary data, the server can be tricked into executing it. That is why CISA flags this bug class as one that can grant total control of a system once exploited.
What you should do
Under Binding Operational Directive 26-04, federal civilian agencies must remediate KEV listed flaws on internet facing assets within a short deadline, and check whether a system was already compromised before the patch was applied. CISA urges every organization, not just federal ones, to prioritize the SharePoint update. Administrators should apply Microsoft's fix for CVE-2026-45659 without delay, inventory any internet exposed SharePoint servers, and hunt for signs of prior compromise given that exploitation is already underway. This follows a run of recent KEV additions, including actively exploited Cisco and PTC bugs the agency flagged last week.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.