Active Exploitation of Microsoft SharePoint RCE (CVE‑2026‑45659) Triggers Urgent Patch Mandate
What Happened — CISA has added CVE‑2026‑45659, a high‑severity remote code execution flaw in Microsoft SharePoint, to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability allows any authenticated user with low‑privilege “Site Member” rights to execute arbitrary code on unpatched SharePoint servers without user interaction. Microsoft issued patches for SharePoint 2016, 2019, and Subscription Edition on May 21, 2026, but thousands of servers remain exposed.
Why It Matters for Compliance & Audit Readiness
- The flaw directly violates SOC 2 CC6.1 (System Operations) and CC6.2 (Change Management) requirements that mandate timely patching of known vulnerabilities.
- Continuous evidence of patch status is essential to demonstrate due diligence during a SOC 2 audit, especially for organizations that host or consume SharePoint services.
- Mapping this vulnerability to your control framework provides a defensible audit trail and helps satisfy CISA’s BOD 26‑04 directive for federal agencies and any downstream contractors.
Who Is Affected – Enterprises across all verticals that run on‑premises or hosted Microsoft SharePoint (e.g., technology SaaS providers, professional services firms, government agencies).
Recommended Actions
- Inventory all SharePoint instances and verify patch level against Microsoft KB 2026‑45659.
- Apply the May 2026 security updates immediately; prioritize any publicly‑exposed servers.
- Record patch‑deployment evidence in a centralized control‑mapping repository to satisfy SOC 2 audit requirements.
- Enable continuous vulnerability scanning and integrate findings with your compliance dashboard.
Source: BleepingComputer
Technical Notes – The vulnerability stems from deserialization of untrusted data; it is exploitable over the network (AV:N) with low attack complexity (AC:L). No admin privileges are required; a user with Site Member rights can trigger code execution. Over 10 000 SharePoint servers are known to be exposed online.