Back to News

Microsoft SharePoint CVE-2026-45659 — CVSS 8.8 RCE Actively Exploited, CISA KEV 1 July 2026: The 10-Step IT Support Patch Plan Every UK SME Must Run This Week

Microsoft SharePoint CVE-2026-45659 — CVSS 8.8 RCE Actively Exploited, CISA KEV 1 July 2026: The 10-Step IT Support Patch Plan Every UK SME Must Run This Week

On 1 July 2026 the US Cybersecurity and Infrastructure Security Agency added CVE-2026-45659 — a CVSS 8.8 remote code execution flaw in Microsoft SharePoint Server — to its Known Exploited Vulnerabilities (KEV) catalogue. That single administrative act carries a heavy meaning: CISA only adds a vulnerability to the KEV list once it has evidence of active exploitation against real targets. This is no longer a theoretical risk buried in a patch note. Attackers are using CVE-2026-45659 right now, against internet-reachable on-premises SharePoint servers, and a large number of those servers belong to UK small and medium-sized enterprises that never applied the fix.

The uncomfortable detail is the timeline. Microsoft actually patched this vulnerability on 21 May 2026 — but the fix was accidentally omitted from the published May 2026 Security Updates and was quietly added to the release notes weeks later. Many organisations running SharePoint Server 2016, 2019 or Subscription Edition on their own hardware never saw the update land in their normal patch cycle. Six weeks later, the flaw is being exploited in the wild and the Cyber Essentials v3.3 14-day patching window has already been breached by any business that has not remediated. This article breaks down exactly what CVE-2026-45659 is, how the exploitation wave built up, who is exposed, and the 10-step IT support patch plan every UK SME must run this week.

8.8
CVSS score — high-severity RCE for CVE-2026-45659 (CWE-502 deserialization)
1 Jul
Date CISA added the flaw to its KEV catalogue, confirming active exploitation
21 May
Actual patch date — omitted from the published May 2026 Security Updates
14 days
Cyber Essentials v3.3 patching window for critical fixes — already expired

What CVE-2026-45659 actually is — and why on-premises SharePoint is the exposure

SharePoint Server is Microsoft’s on-premises collaboration and document-management platform. It underpins intranets, document libraries, team sites, records management and workflow automation for a very large number of UK organisations that either cannot or have chosen not to move fully to the cloud — professional services firms, manufacturers, legal practices, healthcare providers and public-sector bodies with data-residency, compliance or legacy-integration reasons for keeping SharePoint on their own servers. CVE-2026-45659 affects three of those on-premises editions specifically: SharePoint Enterprise Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition.

The flaw itself is a deserialization of untrusted data weakness — CWE-502, one of the most reliably exploitable vulnerability classes in enterprise software. In plain terms, SharePoint accepts a serialised object from a user, and under the affected code path it reconstructs (deserialises) that object without properly validating it. A crafted payload can force the server to instantiate objects and execute code the attacker chooses. The result is remote code execution: the attacker runs their own code on the SharePoint server, in the security context of the SharePoint process. From there they can read every document in the library, harvest credentials cached on the server, move laterally into the wider network, and establish persistence.

Critically, the barrier to entry is low. The attack vector is Network, user interaction is None, and although authentication is required, the privilege needed is minimal — a standard Site Member account is sufficient. In most SharePoint deployments, Site Member is the baseline permission handed to ordinary staff so they can contribute to team sites. Any leaked, phished or reused credential at that level becomes a direct path to full server compromise. Microsoft has characterised the flaw as easy to exploit, with repeatable success against the vulnerable component — meaning an attacker who succeeds once can rely on the technique working again and again. The fixed build for Subscription Edition is 16.0.19725.20280 or later.

The patch existed for six weeks — but many teams never saw it land

What makes CVE-2026-45659 unusually dangerous is not the vulnerability itself but the way the fix was communicated. Microsoft shipped the patch on 21 May 2026, yet it was accidentally omitted from the published May 2026 Security Updates release notes and only added quietly some time afterwards. IT teams that patch by reading Microsoft’s monthly bulletin — which is most SMEs without dedicated security tooling — had no line item telling them this update mattered. The dangerous gap in security is rarely “we knew and ignored it.” It is “we never knew there was anything to apply.” A quietly-released, high-severity SharePoint patch that slips past the monthly bulletin is exactly the kind of update that a proactive, monitored patch-management process catches and an ad-hoc one misses entirely.

How the SharePoint exploitation wave built up in 2026

CVE-2026-45659 did not appear in isolation. On-premises SharePoint has been under sustained attacker attention throughout 2026, and the chronology below shows how a quietly-patched flaw became a confirmed, actively-exploited threat inside six weeks — while a companion vulnerability widened the attack surface further.

April 2026 — SharePoint on-premises zero-day exploited
A separate SharePoint Server zero-day (a different CVE) is exploited in the wild against on-premises deployments, prompting emergency advisories and confirming that threat actors had made on-premises SharePoint a priority target. This established the pattern: the on-premises product line, not the Microsoft-managed cloud, is where the exposure lives, and attackers are actively hunting for internet-reachable SharePoint front ends.
21 May 2026 — Microsoft patches CVE-2026-45659
Microsoft ships the fix for CVE-2026-45659, raising the Subscription Edition build to 16.0.19725.20280. However, the vulnerability is accidentally omitted from the published May 2026 Security Updates and is only added to the documentation later. Organisations that rely on the monthly bulletin to prioritise their patching have no clear signal that a high-severity SharePoint RCE has just been fixed. The 14-day Cyber Essentials v3.3 window for critical patches begins ticking from this date — and expires in early June 2026.
26 May 2026 — Security researchers flag the flaw publicly
Independent security coverage (including Help Net Security) draws attention to CVE-2026-45659 as a deserialization RCE affecting SharePoint 2016, 2019 and Subscription Edition, exploitable by a low-privileged authenticated user with no interaction required. The write-ups note the belated addition to Microsoft’s release notes and warn that the low privilege requirement makes the flaw highly attractive to attackers who already hold, or can phish, ordinary user credentials.
June 2026 — Companion flaw CVE-2026-47294 surfaces
A companion vulnerability, CVE-2026-47294 (CVSS 8.0), is documented in the same deserialization/injection class affecting the same on-premises SharePoint versions. Threat-modelling analysis groups the two together: an unpatched SharePoint server now presents two overlapping high-severity attack surfaces, and the remediation for both is the same — apply the current cumulative update and verify the build number. Organisations still on an unpatched build are exposed on both fronts simultaneously.
Early June 2026 — CE v3.3 14-day window closes for compliant patchers
Any organisation operating under Cyber Essentials v3.3 (the Danzell question set, effective April 2026) is required to apply critical and high-severity patches within 14 days of release. For a 21 May patch, that deadline falls in early June. Businesses that patched on schedule are protected; the far larger group that never registered the update in their cycle are now both exposed and, technically, out of compliance with the scheme they may have certified against.
1 July 2026 — CISA adds CVE-2026-45659 to the KEV catalogue
CISA confirms active exploitation and adds CVE-2026-45659 to its Known Exploited Vulnerabilities catalogue. This is the decisive moment: KEV inclusion is evidence-based, meaning CISA has confirmed the flaw is being used against real targets. US federal agencies are given a remediation deadline; every other organisation is strongly advised to treat KEV entries as top-priority. The same day, Google ships Chrome 150 fixing 382 vulnerabilities including 15 critical — a reminder that the patch-management burden on UK IT teams is relentless and unforgiving of gaps.
3 July 2026 — Today
Two days after KEV inclusion, the exploitation window is fully open and automated scanning for vulnerable SharePoint front ends is under way. Any UK organisation still running SharePoint 2016, 2019 or Subscription Edition below the fixed build is operating a known-exploited system. The instruction “apply the update” is obvious; the hard part is that most UK SMEs do not have a live inventory of their SharePoint build numbers, cannot quickly confirm whether the 21 May patch was applied, and have no compensating controls if it was not.

The SharePoint attack surface — why a collaboration server is such a valuable target

A SharePoint server is not just a file share. It sits at the intersection of an organisation’s documents, identities and internal network, which is precisely what makes remote code execution on it so damaging. The bars below rank the categories of value an attacker unlocks once they achieve code execution on an unpatched SharePoint host — useful for explaining the urgency to non-technical decision-makers.

Full document library & records access (contracts, HR, finance)
Highest value
Cached service-account & farm credentials
Very high value
Lateral movement into Active Directory & internal network
Very high value
Hybrid bridge into Microsoft 365 / Entra ID
High value
Persistence via web shells & scheduled tasks
High value
Ransomware staging across mapped document stores
High value
Personal data exfiltration triggering ICO obligations
Significant value

The single most under-appreciated risk is the third bar: lateral movement. SharePoint servers typically run with privileged service accounts and are joined to the domain, so code execution on the SharePoint host is frequently a stepping stone to broader Active Directory compromise rather than an endpoint in itself. For organisations running a hybrid deployment — on-premises SharePoint connected to Microsoft 365 — the fourth bar matters too: a compromised on-premises server can become the bridge that carries an attacker into the cloud tenant, undermining the assumption that “we are mostly in the cloud, so we are mostly safe.”

How many UK organisations are exposed right now?

Microsoft does not publish on-premises SharePoint deployment numbers by country, and estimating the unpatched share precisely is not possible from public data. The donut below reflects a best-estimate of the proportion of on-premises SharePoint installations still unpatched roughly six weeks after the 21 May fix — informed by industry patch-adoption benchmarks for on-premises Microsoft server products and, crucially, inflated by the fact that this specific patch was omitted from the published bulletin and therefore missed by more teams than a normally-announced update would be.

40%
Estimated share of on-premises SharePoint installations still unpatched six weeks after the 21 May 2026 fix — elevated because the patch was omitted from the published bulletin (industry benchmark; Microsoft does not publish adoption rates)

For a normally-announced high-severity Microsoft server patch, industry benchmarks put the unpatched share at roughly 25–35% six weeks after release — on-premises server patching requires change windows, application-compatibility testing and, for SharePoint farms specifically, careful sequencing across web front ends and application servers. Because CVE-2026-45659 was absent from the published May bulletin, we assess the real unpatched figure to be higher still, in the region of 40%. That represents a large population of UK organisations currently running an internet-adjacent, known-exploited collaboration server with a low-privilege path to full compromise.

The SharePoint exposure grid — where UK SMEs score themselves

Not every SharePoint installation carries the same risk. The score card below covers the eight factors that determine whether an organisation is at immediate risk from CVE-2026-45659, at risk of a secondary wave, or effectively protected despite the noise. Score yourself honestly against each row.

CVE-2026-45659 exposure assessment — on-premises SharePoint UK installations
SharePoint 2016 / 2019 / Subscription Edition below the fixed build (16.0.19725.20280+) High
SharePoint web front end reachable from the internet or extranet High
Large number of Site Member accounts with weak or reused passwords High
No multi-factor authentication enforced on SharePoint sign-in High
Hybrid deployment bridging on-premises SharePoint to Microsoft 365 Mid
No anomalous request monitoring on the SharePoint application tier Mid
SharePoint server not network-segmented from general business systems Mid
Cyber Essentials v3.3 14-day patching SLA not documented for on-premises servers Low

Any organisation scoring High on the first two rows is at immediate risk right now. An unpatched build combined with an internet-reachable front end is a direct exploitation path; the remaining rows determine how far an attacker can travel once inside and how quickly you would notice. The fourth row — no MFA on SharePoint sign-in — deserves special attention, because the flaw’s low-privilege requirement means a single phished Site Member credential is enough to begin the attack, and MFA is the most effective control against credential-based entry.

The cost of an unpatched SharePoint compromise — by business size

The financial impact of a successful SharePoint RCE compromise varies widely with organisation size and the sensitivity of the documents held, but it anchors to measurable categories: incident response, business interruption, regulatory exposure and, in ransomware cases, recovery or ransom costs. The table below shows indicative direct-cost bands for UK organisations of different sizes, based on the typical scenario of an attacker achieving code execution, exfiltrating documents, and either deploying ransomware or selling access.

Organisation size Typical SharePoint footprint Likely detection lag Indicative direct cost of a confirmed compromise
Micro (1–9 staff) Single small farm or legacy 2016 server 2–6 weeks (little or no monitoring) £10,000–£35,000
SME (10–50 staff) SharePoint 2019 intranet + document libraries 1–4 weeks until anomaly noticed £35,000–£150,000
Mid-market (50–250 staff) Multi-server farm, hybrid to Microsoft 365 1–3 weeks (some logging in place) £150,000–£750,000
Large (250–1,000 staff) Subscription Edition farm, records management Days to 2 weeks (SOC or MDR present) £500,000–£2.5m

These figures cover direct costs only. They do not include the ICO 72-hour breach-notification clock that starts the moment personal data is confirmed accessed, the reputational damage of notifying clients whose contracts or case files were held in SharePoint, the potential invalidation of a cyber-insurance claim under a “known vulnerability” exclusion, or the forensic audit needed to establish the full scope of access. For a UK SME without a monitored patch process, a single exploitation of CVE-2026-45659 can escalate from a missed update into an existential event.

Reactive versus proactive SharePoint and patch management

Reactive posture

What most UK SMEs running on-premises SharePoint do today

  • Patch only what appears in the monthly bulletin — and miss anything omitted from it
  • No live inventory of SharePoint build numbers across the farm
  • SharePoint front end exposed to the internet for remote staff convenience
  • No MFA on SharePoint sign-in; many low-privilege Site Member accounts
  • Application-tier logs never reviewed between incidents
  • Discover a compromise only when files are encrypted or a client reports a leak
  • Cyber Essentials v3.3 14-day patching window not tracked for on-premises servers
  • No single accountable owner for verifying that critical patches actually landed

Proactive posture

Where Cloudswitched Managed IT Support takes you

  • Patch status driven by CISA KEV and vendor advisories, not just the monthly bulletin
  • Live inventory of every server build number, verified after each patch cycle
  • SharePoint front end placed behind VPN, reverse proxy or WAF, not open to the internet
  • MFA enforced on all SharePoint and Microsoft 365 sign-in
  • Application-tier and access-log monitoring integrated into 24/7 oversight
  • Proactive alerting on anomalous requests before encryption or exfiltration
  • Cyber Essentials v3.3 14-day patching SLA documented and evidenced
  • A named account manager accountable for confirming every critical patch is applied

The 10-step IT support patch plan every UK SME must run this week

This plan applies whether or not you run SharePoint. Steps 1–5 are SharePoint-specific and close the immediate CVE-2026-45659 and CVE-2026-47294 exposure; steps 6–10 are universal patch-management and IT-support controls that apply to any UK SME running business-critical on-premises or hybrid systems. CVE-2026-45659 is the catalyst, but these steps address the structural gap — the absence of a monitored, accountable patch process — that makes each new quietly-released CVE a crisis rather than a managed event.

Step 1 — Inventory every on-premises SharePoint server and record its exact build number
Day 0 — Immediate
Step 2 — Compare each build against the fixed build (16.0.19725.20280+) to confirm patch status
Day 0
Step 3 — Audit SharePoint internet exposure (which front ends are reachable, and from where?)
Day 0–1
Step 4 — Apply the current cumulative update to all unpatched farms as an emergency change
Day 1–3
Step 5 — Review application-tier logs since 21 May for anomalous requests and web shells
Day 1–3
Step 6 — Enforce MFA on SharePoint and Microsoft 365 sign-in; audit Site Member accounts
Day 3–7
Step 7 — Segment SharePoint from general business systems and place it behind VPN or WAF
Day 5–10
Step 8 — Extend patch verification to all servers, endpoints and browsers (incl. Chrome 150)
Day 7–14
Step 9 — Test backup restoration for SharePoint content and confirm recovery times
Day 10–21
Step 10 — Establish a monitored patch process tracking KEV and vendor advisories to the CE v3.3 14-day SLA
Ongoing

Steps 1–5 remove the immediate exposure. Steps 6–10 fix the structural problem that let a quietly-released patch slip through in the first place. Step 10 is the decisive one: a documented patch process that watches the CISA KEV catalogue and vendor advisories — not just Microsoft’s monthly bulletin — and applies critical fixes within the Cyber Essentials v3.3 14-day window, with a named person accountable for confirming each patch actually landed. That single control would have caught CVE-2026-45659 the moment it appeared in the release notes, regardless of the bulletin omission.

18%
Estimated share of UK SMEs with a documented patch process that tracks KEV and vendor advisories to the CE v3.3 14-day SLA — leaving the great majority reliant on the monthly bulletin alone
Practical tip: reduce the attack surface at the network layer before you patch

If you cannot apply the SharePoint cumulative update immediately because it requires a farm-wide change window and compatibility testing, the fastest compensating control is to remove the SharePoint front end from direct internet exposure. Place it behind a VPN or a reverse proxy with a web application firewall, so that only authenticated, trusted traffic can reach the affected code path. Because CVE-2026-45659 still requires a Site Member credential, enforcing multi-factor authentication on SharePoint sign-in at the same time sharply reduces the chance an attacker can obtain the low-privilege account the exploit needs. These are temporary measures, not a fix — apply the update as soon as your testing window allows, then verify the build number to confirm it landed.

What the SharePoint pattern tells UK businesses about patch discipline in 2026

The most important lesson of CVE-2026-45659 is not about SharePoint specifically — it is about the fragility of a patch process that depends on a vendor’s monthly summary being complete and correct. Microsoft omitted a high-severity RCE from its published May bulletin. That was an administrative error, but it exposed a structural weakness in how most SMEs patch: they react to the bulletin rather than tracking the underlying advisory and CVE data directly. When the bulletin is wrong, the whole downstream process is wrong, and nobody notices until CISA confirms exploitation six weeks later.

This sits against a sobering national backdrop. The UK Government’s Cyber Security Breaches Survey 2025/2026 (DSIT, published 30 April 2026) found that 43% of UK businesses experienced a breach in the previous 12 months — roughly 612,000 businesses. Only 5% hold Cyber Essentials (up from 3%), only 25% have a formal incident response plan, and only 15% formally review the cyber risk of their immediate suppliers. In that environment, a quietly-patched, actively-exploited SharePoint RCE is not an edge case; it is exactly the kind of event that turns a business into part of that 43% statistic. The organisations that will not be caught are the ones treating patch management as a monitored, accountable, evidence-backed process — which is precisely the difference between reactive break-fix support and proactive managed IT support.

At-a-glance reference: CVE-2026-45659 and related facts

Fact Detail
CVE identifier CVE-2026-45659
Vulnerability class CWE-502 — Deserialization of Untrusted Data
CVSS score 8.8 (High)
Impact Remote code execution on the SharePoint server
Affected products SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition
Fixed build (Subscription Edition) 16.0.19725.20280 or later
Attack vector Network
Privileges required Low — Site Member permissions minimum
User interaction None
Patch date 21 May 2026 (omitted from published May 2026 Security Updates, added later)
CISA KEV addition 1 July 2026 — active exploitation confirmed
Companion CVE CVE-2026-47294 (CVSS 8.0, same affected versions)
Cloud exposure None for SharePoint Online (Microsoft 365) — patched at infrastructure level; on-premises is the exposure
UK compliance anchor Cyber Essentials v3.3 — 14-day critical patch window (breached for a 21 May patch)

SharePoint Online — the Microsoft 365 cloud version — is patched by Microsoft at the infrastructure level and is not exposed by this CVE. The exposure is entirely in on-premises deployments. Hybrid deployments, where an on-premises SharePoint farm connects to a Microsoft 365 tenant, deserve particular care: the on-premises server remains vulnerable and can act as a bridge into the cloud environment if compromised.

Related articles from the Cloudswitched news series

CVE-2026-45659 fits a wider 2026 pattern of critical enterprise-software flaws being exploited within weeks of patching. Our recent briefings connect directly: the June 2026 Patch Tuesday (206 CVEs) shows exactly how the sheer volume of monthly patching creates the conditions in which a single omitted update slips through unnoticed; the Oracle E-Business Suite CVE-2026-46817 exploit is the same story in a different product — a patch available for weeks, exploited once attackers reverse-engineered it; the Cisco Unified CM VoIP exploit (CVE-2026-20230) reinforces how quickly a critical flaw moves from advisory to active exploitation. On the governance side, the Cyber Security and Resilience Bill explains why documented patch discipline is becoming a legal expectation, not just good practice; the £2.5bn JLR cyberattack shows the board-level cost when an enterprise system is compromised; and the Scattered Spider TfL conviction is directly relevant here, because the phished, low-privilege credentials that group specialised in are exactly what an attacker needs to meet CVE-2026-45659’s Site Member requirement.

Do you know your SharePoint build number? Are you certain the 21 May patch landed?

CVE-2026-45659 is being exploited via automated scanning — and it was omitted from the very bulletin most teams patch by. Cloudswitched Managed IT Support gives you a live inventory of every server build, patch management driven by CISA KEV and vendor advisories rather than the monthly summary alone, and a dedicated account manager accountable for confirming each critical fix is applied within the Cyber Essentials v3.3 14-day window. If you are not certain your SharePoint estate is patched, we can confirm it for you today.

Talk to us about Managed IT Support

Frequently asked questions

What exactly is CVE-2026-45659 and which SharePoint versions are affected?
CVE-2026-45659 is a deserialization of untrusted data vulnerability (CWE-502) in Microsoft SharePoint Server that allows remote code execution. It carries a CVSS score of 8.8 (High). It affects the on-premises editions: SharePoint Enterprise Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. The attack is delivered over the network with no user interaction, and requires only a low-privilege authenticated account — Site Member permissions are sufficient. The fixed build for Subscription Edition is 16.0.19725.20280 or later. SharePoint Online, the Microsoft 365 cloud version, is patched by Microsoft at the infrastructure level and is not affected.
Why did so many organisations miss the patch if it was released in May?
Because the fix was accidentally omitted from Microsoft’s published May 2026 Security Updates and only added to the release notes quietly some time later. Most SMEs prioritise their patching by reading Microsoft’s monthly bulletin, so if a high-severity fix is missing from that summary, it simply does not appear on their to-do list. The patch was genuinely available from 21 May 2026, but the communication gap meant many teams had no signal that it mattered. This is precisely why a robust patch process should track the underlying CVE and advisory data — and the CISA KEV catalogue — rather than relying solely on a vendor’s monthly summary being complete.
We use SharePoint Online in Microsoft 365. Are we affected?
No — not directly. SharePoint Online is the cloud version hosted and maintained by Microsoft, and it is patched at the infrastructure level, so this CVE does not create an action for pure cloud customers. The exposure is entirely in on-premises SharePoint Server deployments. However, two caveats apply. First, if you run a hybrid deployment — an on-premises SharePoint farm connected to your Microsoft 365 tenant — the on-premises server is vulnerable and could act as a bridge into your cloud environment if compromised. Second, even fully cloud-based organisations should confirm they have no forgotten legacy on-premises SharePoint server still running, as these are exactly the systems that get missed.
How urgent is this, really? It only scores 8.8, not 9.8.
The CVSS score is only part of the picture. What matters far more is that CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalogue on 1 July 2026, which means active exploitation against real targets has been confirmed. A vulnerability being exploited in the wild is more urgent than a higher-scored flaw that is not. On top of that, the low privilege requirement (a standard Site Member account), the lack of any user interaction, and Microsoft’s own characterisation of the flaw as easy to exploit repeatedly all make it highly attractive to attackers. Treat any KEV-listed vulnerability affecting your systems as top priority regardless of its exact CVSS number.
What is CVE-2026-47294 and do we need to worry about it too?
CVE-2026-47294 is a companion vulnerability (CVSS 8.0) in the same deserialization/injection class, affecting the same on-premises SharePoint versions. Security analysts have grouped the two together because they present overlapping high-severity attack surfaces on the same product. The good news is that the remediation is the same: applying the current cumulative update and verifying the build number addresses both. Practically, you should not think of them as two separate projects — treat “bring the SharePoint farm to the current patched build and verify it” as one action that closes both CVE-2026-45659 and CVE-2026-47294 at once.
Our SharePoint server is on-premises but behind our firewall. Are we safe?
Safer, but not necessarily safe. The critical question is whether the SharePoint front end is reachable via the network from anywhere an attacker could get to — which includes your corporate VPN if a VPN device is compromised, any extranet or partner-access configuration, and lateral movement from any other compromised internal system such as a staff laptop hit by phishing. Because the exploit only needs a low-privilege Site Member credential, an attacker who has already phished one ordinary user account and can reach the server internally is in a position to exploit it. A truly isolated SharePoint server with no external reachability and no path from compromised endpoints is far lower risk, but almost no production SharePoint deployment is fully isolated. Confirm the patch is applied regardless.
How do we check whether our SharePoint server is already patched?
Check the exact build number of each SharePoint server in your farm and compare it against the fixed build. For Subscription Edition, you need 16.0.19725.20280 or later; for 2016 and 2019, confirm the current cumulative update that includes the CVE-2026-45659 fix has been installed. The build number can be verified in Central Administration under the servers-in-farm view, or via PowerShell. The important discipline is not just to apply an update but to verify afterwards that the build number actually incremented to the fixed level on every server in the farm — front ends and application servers alike. A patch that was started but did not complete cleanly across all nodes leaves you exposed while appearing done.
Does this affect our Cyber Essentials certification?
Potentially, yes. Cyber Essentials v3.3 (the Danzell question set, effective April 2026) requires critical and high-severity patches to be applied within 14 days of release. For a patch dated 21 May 2026, that deadline fell in early June. Any organisation that has certified under v3.3 and has not applied this update is technically out of compliance with the patching requirement, and would need to remediate before its next assessment. More importantly, if a breach occurred via an unpatched flaw that a certified scheme required you to fix within 14 days, both your certification status and any cyber-insurance claim could be affected. The remedy is the same either way: patch now, verify the build, and document the date of application as evidence.
We do not have in-house IT. How do we handle something like this?
This is exactly the scenario managed IT support exists to prevent. An organisation without dedicated IT has no one whose job it is to read advisories, maintain a build inventory, notice that a patch was omitted from the bulletin, and confirm updates actually landed — which is why quietly-released flaws like CVE-2026-45659 are most dangerous for smaller businesses. A managed IT support arrangement provides proactive monitoring, structured patch management driven by CISA KEV and vendor advisories rather than the monthly summary alone, and a dedicated account manager accountable for verifying every critical fix. It converts patching from an ad-hoc task nobody owns into a documented, evidenced process aligned to the Cyber Essentials v3.3 14-day SLA.
What should we do if we think we may already have been compromised?
If you suspect exploitation has occurred, your priorities are: contain (restrict network access to the SharePoint server or take it offline); preserve (take a forensic snapshot of the server before applying any changes, as this is needed for incident response and insurance); review (examine the SharePoint application-tier and IIS logs from 21 May 2026 onwards for anomalous requests, unexpected process execution, new files in web directories or signs of a web shell); and notify (your cyber insurer’s incident hotline, your IT support or incident-response partner, and — if personal data was accessed — begin the ICO 72-hour clock). Do not simply patch and move on if you suspect compromise, because patching may overwrite forensic evidence and will not remove any persistence an attacker has already established. Preserve first, investigate, then remediate.

Patch management that catches the update nobody announced

CVE-2026-45659 slipped past the monthly bulletin, sat unpatched for six weeks, and is now on the CISA KEV list. The businesses caught out are the ones with no monitored process to catch a quietly-released critical fix. Cloudswitched Managed IT Support gives your organisation proactive monitoring, structured patch management tracked to the Cyber Essentials v3.3 14-day window, and a dedicated account manager who confirms each update actually landed — so the next omitted patch is caught as routine, not discovered as an incident.

Talk to us about Managed IT Support
Tags:IT SupportCyber SecurityNetwork AdminMicrosoft 365
CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

CloudSwitched Service

Managed IT Support

Proactive monitoring, helpdesk and on-site support for London businesses

Learn More

Technology Stack

Powered by industry-leading technologies including SolarWinds, Cloudflare, BitDefender, AWS, Microsoft Azure, and Cisco Meraki to deliver secure, scalable, and reliable IT solutions.

SolarWinds
Cloudflare
BitDefender
AWS
Hono
Opus
Office 365
Microsoft
Cisco Meraki
Microsoft Azure

Latest Articles

14
  • Network Admin

Wireless Site Surveys: Why They Matter for Wi-Fi Performance

14 Nov, 2025

Read more
19
  • IT Support

Proactive vs Reactive IT Support

19 Jun, 2025

Read more
20
  • Web Development

How to Plan a Website Migration Without Breaking Links

20 Mar, 2026

Read more

Enquiry Received!

Thank you for getting in touch. A member of our team will review your enquiry and get back to you within 24 hours.