For federal agencies running on-premises Microsoft SharePoint, a single security decision made this week supersedes the one Microsoft made in May. The Cybersecurity and Infrastructure Security Agency added CVE-2026-45659, an insecure-deserialization flaw in on-premises SharePoint Server, to its Known Exploited Vulnerabilities catalog on July 2, after confirming attackers are using it in the wild. The same bug had shipped with a Microsoft exploitability assessment of "Less Likely", a label that points to theoretical danger rather than active attack.
The gap between those two signals is now driving enterprise patching pressure. CISA's Known Exploited Vulnerabilities catalog tracks vulnerabilities the agency has confirmed are being weaponized against real targets. When a CVE lands there, Binding Operational Directive 26-04 gives federal civilian agencies a fixed window to patch, remove, or otherwise mitigate the affected product, with a stated deadline of no later than July 4 for CVE-2026-45659.
The technical mechanism is not exotic. CVE-2026-45659 is an insecure-deserialization vulnerability in the on-premises SharePoint Server line, which includes SharePoint Server Subscription Edition, 2019, and Enterprise Server 2016. Deserialization flaws let attackers craft input that the server treats as code, which can lead to remote code execution. Microsoft's advisory notes that any authenticated attacker can trigger the vulnerability with only Site Member permissions; it is not a pre-authentication bug, but it also does not require admin or other elevated privileges. The CVSS score is 8.8.
The contradiction between Microsoft's "Less Likely" assessment and CISA's KEV listing is not, on its face, evidence that Microsoft misjudged the bug. Microsoft's Exploitability Index reflects a model of how a flaw is likely to be used based on disclosed technical details. CISA's KEV catalog reflects observed exploitation telemetry the agency has collected or verified. The two can diverge legitimately when attackers find ways to weaponize a flaw that the vendor's initial analysis did not anticipate.
What the divergence does mean is operational. For federal civilian agencies, a KEV addition is a binding patching signal with a short window and real consequences for non-compliance. For private-sector defenders, KEV listings function as one of the most widely watched patch-now queues in the industry. Security operations teams use them to triage patch cycles, vendor communications, and vulnerability management service-level agreements. A bug can sit on a vendor advisory with a moderate exploitation-likelihood rating for months without triggering mass remediation; the same bug, once it lands on KEV, often jumps the queue.
CISA's published framing for CVE-2026-45659 reads as a generic KEV justification: "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise." The agency has not, as of the KEV addition, disclosed attribution, victim count, or the exploitation campaign's scale. The most defensible read for enterprise defenders is that CISA's evidence threshold has been met, not that a named actor or known-size campaign is underway.
Two things to watch. First, whether Microsoft revises its exploitability assessment in light of CISA's KEV evidence; the company's index is not static and tends to move toward observed reality once exploitation is public. Second, whether the BOD 26-04 deadline holds or is extended; BOD deadlines are firm by design, but federal agencies operating complex on-prem SharePoint estates sometimes seek extensions through CISA's standard process. Either move would be a meaningful signal about how the regulator expects this bug to be handled.
The broader pattern is what enterprise defenders should take away. A vendor's "Less Likely" rating is a snapshot of one organization's modeling judgment at one moment. A KEV listing is a regulatory confirmation grounded in observed exploitation. When the two diverge, the patching clock runs on the government's evidence, not the vendor's.