CISA, the US federal cyber-defence agency, added CVE-2026-45659, a remote-code-execution (RCE) flaw in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalogue on Wednesday 1 July, with a Federal Civilian Executive Branch (FCEB) remediation deadline of today, Saturday 4 July. That is a three-day window on the most widely deployed on-premises collaboration platform across government and enterprise estates. The catalogue lists ransomware use as "Unknown". 1
The flaw falls under BOD 26-04, the risk-tiered Binding Operational Directive that replaced patch-by-deadline enforcement on 10 June . A deserialisation-of-untrusted-data vulnerability lets an attacker feed crafted input that the server rebuilds into running code, and SharePoint's ubiquity across on-premises estates is what makes a three-day clock uncomfortable. Nothing else on the catalogue this fortnight runs tighter.
