There's a SharePoint bug hackers are already using, and the US just gave itself one day to fix it
Key takeaways
- CISA added CVE-2026-45659, a SharePoint Server remote code execution flaw, to its Known Exploited Vulnerabilities list after confirming active attacks
- The bug has a CVSS score of 8.8 and lets attackers run code on a server without valid credentials, exploiting how SharePoint deserializes untrusted data
- US federal agencies were given until July 4, 2026 to patch, one of the tightest deadlines CISA has issued this year
- A second actively exploited bug, CVE-2026-8037 in Progress Kemp LoadMaster, carries a CVSS of 9.6 and hit the same week
A working exploit for a SharePoint server needs no password. That's the part worth sitting with. CVE-2026-45659 lets an attacker send a single crafted request and get code execution on the box, no login screen, no stolen credentials, no phishing email required. CISA confirmed it's already being used in the wild and added it to the Known Exploited Vulnerabilities catalog this week.
What the bug actually does
The flaw sits in how SharePoint Server deserializes untrusted data. Deserialization bugs are a recurring pattern in enterprise software because the process of turning stored data back into usable objects can be tricked into running attacker-supplied code instead. CVE-2026-45659 carries a CVSS score of 8.8, and because it doesn't require authentication, the attack surface is anyone who can reach the server over the network, not just people with an account.
CISA's response tells you how seriously it's being taken. US federal agencies were given until July 4, 2026 to patch, a same-week turnaround that's about as tight as the agency hands out. That deadline lands today.
It's not the only one
The same week brought a second actively exploited bug: CVE-2026-8037 in Progress Kemp LoadMaster, an OS command injection flaw with a CVSS of 9.6 that lets attackers run arbitrary code on load balancers. Two high-severity, actively-exploited bugs surfacing in the same window isn't a coincidence worth ignoring. It's the kind of clustering security teams watch for, because attackers often probe multiple enterprise products at once once one technique proves it works.
Why it matters beyond government IT
SharePoint sits at the center of how most large organizations move documents, connect email, and manage internal file shares. A working RCE against it isn't a narrow bug, it's a direct line into whatever SharePoint touches. If your organization runs on-prem SharePoint Server rather than the cloud-hosted Microsoft 365 version, this is a patch-today problem, not a next-sprint one. Cloud-hosted SharePoint Online customers are not affected the same way since Microsoft manages patching on its side.
This kind of flaw also tends to have a longer tail than the headline suggests. Once a working exploit is public or actively used, unpatched servers stay exposed for months, because on-prem infrastructure often lags behind cloud services in patch cycles. If you're not sure whether your organization runs on-prem SharePoint, that's worth confirming with IT today rather than assuming someone else already checked.
What this means if you're not in IT
Even outside the server room, this matters. SharePoint holds contracts, HR files, financial documents, and email integrations at thousands of organizations. If your employer or a vendor you work with runs on-prem SharePoint, a breach there can surface your data without you ever clicking a bad link. Worth a quick check with your IT team on whether this one's been patched.
For more on how these deserialization-style enterprise bugs compare to other recent infrastructure risks, see our coverage of the ESA data breach caused by hardcoded credentials and the Amazon One Medical data exposure claim. Enterprise IT spend is also climbing fast right now, which we covered in Samsung's $648 billion AI chip investment, a reminder that security budgets are competing with AI infrastructure budgets for the same dollars.