US government warns that attackers are already exploiting a SharePoint Server flaw

CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog on July 1 after confirming active exploitation. The flaw allows remote code execution on unpatched on-premises SharePoint Server 2016, 2019, and Subscription Edition. Microsoft released a patch in May. Federal agencies were required to remediate by July 4 under binding directive BOD 26-04. SharePoint Online in Microsoft 365 is not affected.
Before this listing, most hybrid tenants treated on-premises SharePoint as a contained legacy system whose patching could be scheduled around other work. The confirmed exploitation changes the risk calculation because an attacker who gains code execution on an on-prem server can leverage existing hybrid trusts, directory sync accounts, or guest links to reach cloud resources. The practical result is that any remaining on-premises farms now represent a direct path into the Microsoft 365 environment that most small admin teams assumed was already segmented.
Analysis
If you still run any on-premises SharePoint that cannot be patched in the next 48 hours, take it offline or place it behind a network segment with no route to your Microsoft 365 tenant until it is updated.
Pulse published by Collab365 Spaces, reviewed by Helen Jones on . Cite as "US government warns that attackers are already exploiting a SharePoint Server flaw", Collab365 Spaces. 2 sources referenced.