search

LEMON BLOG

Actively Exploited SharePoint Flaw Puts On-Premises Servers at Risk

Organisations using on-premises Microsoft SharePoint Server are being urged to act quickly after a high-severity vulnerability was added to CISA's Known Exploited Vulnerabilities catalogue following confirmed real-world attacks. 

The issue, tracked as CVE-2026-45659, affects several SharePoint Server editions and could allow an attacker with basic Site Member access to execute malicious code directly on a vulnerable server. With a CVSS severity score of 8.8, the flaw should be treated as a priority for IT and cybersecurity teams.

Why This Vulnerability Matters

The vulnerability stems from how SharePoint processes serialised data from untrusted sources. An attacker who has valid SharePoint credentials, even without administrator-level permissions, may be able to submit a specially crafted request that triggers remote code execution.

That creates a serious risk because Site Member access is commonly assigned to users who need to collaborate on documents, project sites or departmental content. A stolen password or compromised low-level account could potentially be enough for an attacker to gain control of the SharePoint server.

Once inside, the attacker may attempt to install web shells, establish persistence, access sensitive files, steal information or move laterally into other systems connected to the wider network.

Active Exploitation Raises the Urgency

CISA's decision to add the vulnerability to its Known Exploited Vulnerabilities catalogue means the threat is no longer theoretical.

While public details about the attackers and the exact exploitation techniques remain limited, organisations should assume that externally accessible SharePoint environments are at greater risk. SharePoint servers are often used to store confidential documents, support internal collaboration and connect teams across departments, making them an attractive target for cybercriminals.

A typical attack could begin with an attacker obtaining legitimate credentials, sending a malicious payload to the affected SharePoint server, and then using the resulting code execution to perform further activity inside the organisation.

Affected SharePoint Versions

The advisory identifies these on-premises products as affected:

Organisations running these versions should verify that the relevant May 2026 Microsoft security updates have been applied.

What IT Teams Should Do Now

Applying the available security update should be the immediate priority. However, patching should be supported by a wider review of SharePoint exposure, permissions and monitoring.

Key actions include:

Final Thoughts

This incident is a reminder that a low-privilege account can still create a major security issue when a vulnerable server is exposed.

For organisations that continue to operate on-premises SharePoint, the focus should not only be on installing the patch. Reviewing access rights, reducing direct exposure and looking for signs of previous compromise are equally important to limit the impact of an actively exploited vulnerability.

New Microsoft 365 Phishing Service Uses Device Cod...
Best AI-Powered Prototyping Tools for Turning Text...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Tuesday, 07 July 2026

Captcha Image

LEMON VIDEO CHANNELS

Step into a world where web design & development, gaming & retro gaming, and guitar covers & shredding collide! Whether you're looking for expert web development insights, nostalgic arcade action, or electrifying guitar solos, this is the place for you. Now also featuring content on TikTok, we’re bringing creativity, music, and tech straight to your screen. Subscribe and join the ride—because the future is bold, fun, and full of possibilities!

My TikTok Video Collection