Organisations using on-premises Microsoft SharePoint Server are being urged to act quickly after a high-severity vulnerability was added to CISA's Known Exploited Vulnerabilities catalogue following confirmed real-world attacks.
That creates a serious risk because Site Member access is commonly assigned to users who need to collaborate on documents, project sites or departmental content. A stolen password or compromised low-level account could potentially be enough for an attacker to gain control of the SharePoint server.
Once inside, the attacker may attempt to install web shells, establish persistence, access sensitive files, steal information or move laterally into other systems connected to the wider network.
Active Exploitation Raises the Urgency
CISA's decision to add the vulnerability to its Known Exploited Vulnerabilities catalogue means the threat is no longer theoretical.
While public details about the attackers and the exact exploitation techniques remain limited, organisations should assume that externally accessible SharePoint environments are at greater risk. SharePoint servers are often used to store confidential documents, support internal collaboration and connect teams across departments, making them an attractive target for cybercriminals.
A typical attack could begin with an attacker obtaining legitimate credentials, sending a malicious payload to the affected SharePoint server, and then using the resulting code execution to perform further activity inside the organisation.
Affected SharePoint Versions
• Microsoft SharePoint Server 2019
• Microsoft SharePoint Enterprise Server 2016
Organisations running these versions should verify that the relevant May 2026 Microsoft security updates have been applied.
What IT Teams Should Do Now
Applying the available security update should be the immediate priority. However, patching should be supported by a wider review of SharePoint exposure, permissions and monitoring.
Key actions include:
• Review Site Member permissions and limit access to trusted users who genuinely need it.
• Reduce unnecessary internet exposure for SharePoint servers and use VPN access where practical.
• Monitor SharePoint and Windows logs for unusual sign-ins, unexpected process activity or indications of web shells.
• Check internet-facing SharePoint servers for possible compromise and rotate credentials if suspicious access is detected.
Final Thoughts
This incident is a reminder that a low-privilege account can still create a major security issue when a vulnerable server is exposed.
For organisations that continue to operate on-premises SharePoint, the focus should not only be on installing the patch. Reviewing access rights, reducing direct exposure and looking for signs of previous compromise are equally important to limit the impact of an actively exploited vulnerability.


Comments