On 1 July 2026 the US Cybersecurity and Infrastructure Security Agency added CVE-2026-45659 — a CVSS 8.8 remote code execution flaw in Microsoft SharePoint Server — to its Known Exploited Vulnerabilities (KEV) catalogue. That single administrative act carries a heavy meaning: CISA only adds a vulnerability to the KEV list once it has evidence of active exploitation against real targets. This is no longer a theoretical risk buried in a patch note. Attackers are using CVE-2026-45659 right now, against internet-reachable on-premises SharePoint servers, and a large number of those servers belong to UK small and medium-sized enterprises that never applied the fix.
The uncomfortable detail is the timeline. Microsoft actually patched this vulnerability on 21 May 2026 — but the fix was accidentally omitted from the published May 2026 Security Updates and was quietly added to the release notes weeks later. Many organisations running SharePoint Server 2016, 2019 or Subscription Edition on their own hardware never saw the update land in their normal patch cycle. Six weeks later, the flaw is being exploited in the wild and the Cyber Essentials v3.3 14-day patching window has already been breached by any business that has not remediated. This article breaks down exactly what CVE-2026-45659 is, how the exploitation wave built up, who is exposed, and the 10-step IT support patch plan every UK SME must run this week.
What CVE-2026-45659 actually is — and why on-premises SharePoint is the exposure
SharePoint Server is Microsoft’s on-premises collaboration and document-management platform. It underpins intranets, document libraries, team sites, records management and workflow automation for a very large number of UK organisations that either cannot or have chosen not to move fully to the cloud — professional services firms, manufacturers, legal practices, healthcare providers and public-sector bodies with data-residency, compliance or legacy-integration reasons for keeping SharePoint on their own servers. CVE-2026-45659 affects three of those on-premises editions specifically: SharePoint Enterprise Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition.
The flaw itself is a deserialization of untrusted data weakness — CWE-502, one of the most reliably exploitable vulnerability classes in enterprise software. In plain terms, SharePoint accepts a serialised object from a user, and under the affected code path it reconstructs (deserialises) that object without properly validating it. A crafted payload can force the server to instantiate objects and execute code the attacker chooses. The result is remote code execution: the attacker runs their own code on the SharePoint server, in the security context of the SharePoint process. From there they can read every document in the library, harvest credentials cached on the server, move laterally into the wider network, and establish persistence.
Critically, the barrier to entry is low. The attack vector is Network, user interaction is None, and although authentication is required, the privilege needed is minimal — a standard Site Member account is sufficient. In most SharePoint deployments, Site Member is the baseline permission handed to ordinary staff so they can contribute to team sites. Any leaked, phished or reused credential at that level becomes a direct path to full server compromise. Microsoft has characterised the flaw as easy to exploit, with repeatable success against the vulnerable component — meaning an attacker who succeeds once can rely on the technique working again and again. The fixed build for Subscription Edition is 16.0.19725.20280 or later.
What makes CVE-2026-45659 unusually dangerous is not the vulnerability itself but the way the fix was communicated. Microsoft shipped the patch on 21 May 2026, yet it was accidentally omitted from the published May 2026 Security Updates release notes and only added quietly some time afterwards. IT teams that patch by reading Microsoft’s monthly bulletin — which is most SMEs without dedicated security tooling — had no line item telling them this update mattered. The dangerous gap in security is rarely “we knew and ignored it.” It is “we never knew there was anything to apply.” A quietly-released, high-severity SharePoint patch that slips past the monthly bulletin is exactly the kind of update that a proactive, monitored patch-management process catches and an ad-hoc one misses entirely.
How the SharePoint exploitation wave built up in 2026
CVE-2026-45659 did not appear in isolation. On-premises SharePoint has been under sustained attacker attention throughout 2026, and the chronology below shows how a quietly-patched flaw became a confirmed, actively-exploited threat inside six weeks — while a companion vulnerability widened the attack surface further.
The SharePoint attack surface — why a collaboration server is such a valuable target
A SharePoint server is not just a file share. It sits at the intersection of an organisation’s documents, identities and internal network, which is precisely what makes remote code execution on it so damaging. The bars below rank the categories of value an attacker unlocks once they achieve code execution on an unpatched SharePoint host — useful for explaining the urgency to non-technical decision-makers.
The single most under-appreciated risk is the third bar: lateral movement. SharePoint servers typically run with privileged service accounts and are joined to the domain, so code execution on the SharePoint host is frequently a stepping stone to broader Active Directory compromise rather than an endpoint in itself. For organisations running a hybrid deployment — on-premises SharePoint connected to Microsoft 365 — the fourth bar matters too: a compromised on-premises server can become the bridge that carries an attacker into the cloud tenant, undermining the assumption that “we are mostly in the cloud, so we are mostly safe.”
How many UK organisations are exposed right now?
Microsoft does not publish on-premises SharePoint deployment numbers by country, and estimating the unpatched share precisely is not possible from public data. The donut below reflects a best-estimate of the proportion of on-premises SharePoint installations still unpatched roughly six weeks after the 21 May fix — informed by industry patch-adoption benchmarks for on-premises Microsoft server products and, crucially, inflated by the fact that this specific patch was omitted from the published bulletin and therefore missed by more teams than a normally-announced update would be.
For a normally-announced high-severity Microsoft server patch, industry benchmarks put the unpatched share at roughly 25–35% six weeks after release — on-premises server patching requires change windows, application-compatibility testing and, for SharePoint farms specifically, careful sequencing across web front ends and application servers. Because CVE-2026-45659 was absent from the published May bulletin, we assess the real unpatched figure to be higher still, in the region of 40%. That represents a large population of UK organisations currently running an internet-adjacent, known-exploited collaboration server with a low-privilege path to full compromise.
The SharePoint exposure grid — where UK SMEs score themselves
Not every SharePoint installation carries the same risk. The score card below covers the eight factors that determine whether an organisation is at immediate risk from CVE-2026-45659, at risk of a secondary wave, or effectively protected despite the noise. Score yourself honestly against each row.
Any organisation scoring High on the first two rows is at immediate risk right now. An unpatched build combined with an internet-reachable front end is a direct exploitation path; the remaining rows determine how far an attacker can travel once inside and how quickly you would notice. The fourth row — no MFA on SharePoint sign-in — deserves special attention, because the flaw’s low-privilege requirement means a single phished Site Member credential is enough to begin the attack, and MFA is the most effective control against credential-based entry.
The cost of an unpatched SharePoint compromise — by business size
The financial impact of a successful SharePoint RCE compromise varies widely with organisation size and the sensitivity of the documents held, but it anchors to measurable categories: incident response, business interruption, regulatory exposure and, in ransomware cases, recovery or ransom costs. The table below shows indicative direct-cost bands for UK organisations of different sizes, based on the typical scenario of an attacker achieving code execution, exfiltrating documents, and either deploying ransomware or selling access.
| Organisation size | Typical SharePoint footprint | Likely detection lag | Indicative direct cost of a confirmed compromise |
|---|---|---|---|
| Micro (1–9 staff) | Single small farm or legacy 2016 server | 2–6 weeks (little or no monitoring) | £10,000–£35,000 |
| SME (10–50 staff) | SharePoint 2019 intranet + document libraries | 1–4 weeks until anomaly noticed | £35,000–£150,000 |
| Mid-market (50–250 staff) | Multi-server farm, hybrid to Microsoft 365 | 1–3 weeks (some logging in place) | £150,000–£750,000 |
| Large (250–1,000 staff) | Subscription Edition farm, records management | Days to 2 weeks (SOC or MDR present) | £500,000–£2.5m |
These figures cover direct costs only. They do not include the ICO 72-hour breach-notification clock that starts the moment personal data is confirmed accessed, the reputational damage of notifying clients whose contracts or case files were held in SharePoint, the potential invalidation of a cyber-insurance claim under a “known vulnerability” exclusion, or the forensic audit needed to establish the full scope of access. For a UK SME without a monitored patch process, a single exploitation of CVE-2026-45659 can escalate from a missed update into an existential event.
Reactive versus proactive SharePoint and patch management
Reactive posture
What most UK SMEs running on-premises SharePoint do today
- Patch only what appears in the monthly bulletin — and miss anything omitted from it
- No live inventory of SharePoint build numbers across the farm
- SharePoint front end exposed to the internet for remote staff convenience
- No MFA on SharePoint sign-in; many low-privilege Site Member accounts
- Application-tier logs never reviewed between incidents
- Discover a compromise only when files are encrypted or a client reports a leak
- Cyber Essentials v3.3 14-day patching window not tracked for on-premises servers
- No single accountable owner for verifying that critical patches actually landed
Proactive posture
Where Cloudswitched Managed IT Support takes you
- Patch status driven by CISA KEV and vendor advisories, not just the monthly bulletin
- Live inventory of every server build number, verified after each patch cycle
- SharePoint front end placed behind VPN, reverse proxy or WAF, not open to the internet
- MFA enforced on all SharePoint and Microsoft 365 sign-in
- Application-tier and access-log monitoring integrated into 24/7 oversight
- Proactive alerting on anomalous requests before encryption or exfiltration
- Cyber Essentials v3.3 14-day patching SLA documented and evidenced
- A named account manager accountable for confirming every critical patch is applied
The 10-step IT support patch plan every UK SME must run this week
This plan applies whether or not you run SharePoint. Steps 1–5 are SharePoint-specific and close the immediate CVE-2026-45659 and CVE-2026-47294 exposure; steps 6–10 are universal patch-management and IT-support controls that apply to any UK SME running business-critical on-premises or hybrid systems. CVE-2026-45659 is the catalyst, but these steps address the structural gap — the absence of a monitored, accountable patch process — that makes each new quietly-released CVE a crisis rather than a managed event.
Steps 1–5 remove the immediate exposure. Steps 6–10 fix the structural problem that let a quietly-released patch slip through in the first place. Step 10 is the decisive one: a documented patch process that watches the CISA KEV catalogue and vendor advisories — not just Microsoft’s monthly bulletin — and applies critical fixes within the Cyber Essentials v3.3 14-day window, with a named person accountable for confirming each patch actually landed. That single control would have caught CVE-2026-45659 the moment it appeared in the release notes, regardless of the bulletin omission.
If you cannot apply the SharePoint cumulative update immediately because it requires a farm-wide change window and compatibility testing, the fastest compensating control is to remove the SharePoint front end from direct internet exposure. Place it behind a VPN or a reverse proxy with a web application firewall, so that only authenticated, trusted traffic can reach the affected code path. Because CVE-2026-45659 still requires a Site Member credential, enforcing multi-factor authentication on SharePoint sign-in at the same time sharply reduces the chance an attacker can obtain the low-privilege account the exploit needs. These are temporary measures, not a fix — apply the update as soon as your testing window allows, then verify the build number to confirm it landed.
What the SharePoint pattern tells UK businesses about patch discipline in 2026
The most important lesson of CVE-2026-45659 is not about SharePoint specifically — it is about the fragility of a patch process that depends on a vendor’s monthly summary being complete and correct. Microsoft omitted a high-severity RCE from its published May bulletin. That was an administrative error, but it exposed a structural weakness in how most SMEs patch: they react to the bulletin rather than tracking the underlying advisory and CVE data directly. When the bulletin is wrong, the whole downstream process is wrong, and nobody notices until CISA confirms exploitation six weeks later.
This sits against a sobering national backdrop. The UK Government’s Cyber Security Breaches Survey 2025/2026 (DSIT, published 30 April 2026) found that 43% of UK businesses experienced a breach in the previous 12 months — roughly 612,000 businesses. Only 5% hold Cyber Essentials (up from 3%), only 25% have a formal incident response plan, and only 15% formally review the cyber risk of their immediate suppliers. In that environment, a quietly-patched, actively-exploited SharePoint RCE is not an edge case; it is exactly the kind of event that turns a business into part of that 43% statistic. The organisations that will not be caught are the ones treating patch management as a monitored, accountable, evidence-backed process — which is precisely the difference between reactive break-fix support and proactive managed IT support.
At-a-glance reference: CVE-2026-45659 and related facts
| Fact | Detail |
|---|---|
| CVE identifier | CVE-2026-45659 |
| Vulnerability class | CWE-502 — Deserialization of Untrusted Data |
| CVSS score | 8.8 (High) |
| Impact | Remote code execution on the SharePoint server |
| Affected products | SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition |
| Fixed build (Subscription Edition) | 16.0.19725.20280 or later |
| Attack vector | Network |
| Privileges required | Low — Site Member permissions minimum |
| User interaction | None |
| Patch date | 21 May 2026 (omitted from published May 2026 Security Updates, added later) |
| CISA KEV addition | 1 July 2026 — active exploitation confirmed |
| Companion CVE | CVE-2026-47294 (CVSS 8.0, same affected versions) |
| Cloud exposure | None for SharePoint Online (Microsoft 365) — patched at infrastructure level; on-premises is the exposure |
| UK compliance anchor | Cyber Essentials v3.3 — 14-day critical patch window (breached for a 21 May patch) |
SharePoint Online — the Microsoft 365 cloud version — is patched by Microsoft at the infrastructure level and is not exposed by this CVE. The exposure is entirely in on-premises deployments. Hybrid deployments, where an on-premises SharePoint farm connects to a Microsoft 365 tenant, deserve particular care: the on-premises server remains vulnerable and can act as a bridge into the cloud environment if compromised.
Related articles from the Cloudswitched news series
CVE-2026-45659 fits a wider 2026 pattern of critical enterprise-software flaws being exploited within weeks of patching. Our recent briefings connect directly: the June 2026 Patch Tuesday (206 CVEs) shows exactly how the sheer volume of monthly patching creates the conditions in which a single omitted update slips through unnoticed; the Oracle E-Business Suite CVE-2026-46817 exploit is the same story in a different product — a patch available for weeks, exploited once attackers reverse-engineered it; the Cisco Unified CM VoIP exploit (CVE-2026-20230) reinforces how quickly a critical flaw moves from advisory to active exploitation. On the governance side, the Cyber Security and Resilience Bill explains why documented patch discipline is becoming a legal expectation, not just good practice; the £2.5bn JLR cyberattack shows the board-level cost when an enterprise system is compromised; and the Scattered Spider TfL conviction is directly relevant here, because the phished, low-privilege credentials that group specialised in are exactly what an attacker needs to meet CVE-2026-45659’s Site Member requirement.
Do you know your SharePoint build number? Are you certain the 21 May patch landed?
CVE-2026-45659 is being exploited via automated scanning — and it was omitted from the very bulletin most teams patch by. Cloudswitched Managed IT Support gives you a live inventory of every server build, patch management driven by CISA KEV and vendor advisories rather than the monthly summary alone, and a dedicated account manager accountable for confirming each critical fix is applied within the Cyber Essentials v3.3 14-day window. If you are not certain your SharePoint estate is patched, we can confirm it for you today.
Talk to us about Managed IT SupportFrequently asked questions
Patch management that catches the update nobody announced
CVE-2026-45659 slipped past the monthly bulletin, sat unpatched for six weeks, and is now on the CISA KEV list. The businesses caught out are the ones with no monitored process to catch a quietly-released critical fix. Cloudswitched Managed IT Support gives your organisation proactive monitoring, structured patch management tracked to the Cyber Essentials v3.3 14-day window, and a dedicated account manager who confirms each update actually landed — so the next omitted patch is caught as routine, not discovered as an incident.
Talk to us about Managed IT Support


