Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

SharePoint patch clock runs out today

2 min read
08:46UTC

CISA gave federal agencies three days to remediate an actively exploited SharePoint code-execution flaw, with today's deadline the tightest on the catalogue.

TechnologyDeveloping
Key takeaway

SharePoint's three-day KEV deadline lands today, the tightest federal patch clock of the fortnight.

CISA, the US federal cyber-defence agency, added CVE-2026-45659, a remote-code-execution (RCE) flaw in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalogue on Wednesday 1 July, with a Federal Civilian Executive Branch (FCEB) remediation deadline of today, Saturday 4 July. That is a three-day window on the most widely deployed on-premises collaboration platform across government and enterprise estates. The catalogue lists ransomware use as "Unknown". 1

The flaw falls under BOD 26-04, the risk-tiered Binding Operational Directive that replaced patch-by-deadline enforcement on 10 June . A deserialisation-of-untrusted-data vulnerability lets an attacker feed crafted input that the server rebuilds into running code, and SharePoint's ubiquity across on-premises estates is what makes a three-day clock uncomfortable. Nothing else on the catalogue this fortnight runs tighter.

Deep Analysis

In plain English

SharePoint is a Microsoft tool that companies and governments use to share documents and manage internal websites. A flaw was found in the version installed on an organisation's own servers, rather than Microsoft's version, that lets an attacker send it corrupted data and gain control of the machine. The US government's cyber-defence agency ordered its own agencies to fix the flaw within three days of listing it, an unusually tight deadline, even though nobody has yet confirmed a ransomware gang is actively using it. The urgency comes from experience: a similar SharePoint flaw last year was used to break into government and manufacturing networks worldwide within about two weeks of becoming public.

Deep Analysis
Root Causes

CISA's BOD 26-04, which replaced the flat two-week patching mandate of BOD 22-01 on 10 June, sorts vulnerabilities into risk tiers with compressed deadlines for internet-facing remote-code flaws; a three-day window here is the tiering working as designed, not an emergency exception.

Many federal agencies still run SharePoint Server on-premises rather than the cloud version, often because of data-residency rules or a decade of custom workflow additions, which keeps a legacy deserialisation attack surface alive long after Microsoft's own roadmap pushed customers toward the hosted product.

What could happen next?
  • Risk

    Agencies still running on-premises SharePoint Server face the same three-day clock regardless of patch-testing capacity, raising the odds some will remediate late, as happened with the Splunk and Ubiquiti deadlines this same fortnight (ID:4471, ID:4473).

  • Precedent

    If exploitation follows the ToolShell timeline, ransomware use could move from Unknown to confirmed within two to three weeks of the 1 July listing.

First Reported In

Update #9 · FortiBleed harvest linked to Lynx crew

CISA· 4 Jul 2026
Read original
Causes and effects
This Event
SharePoint patch clock runs out today
A three-day deadline on the most widely deployed on-premises collaboration server is the first hard test of how fast agencies can move under the new triage regime.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.