Cyber One Solutions logo.
Get Support

HIPAA Security Rule

A CISA-Confirmed SharePoint Exploit Is a Preview of Your Next HIPAA Risk Analysis Finding

July 6, 2026 · Cyber One Solutions

CISA added an actively exploited SharePoint Server flaw to its Known Exploited Vulnerabilities catalog on July 1, 2026. For HIPAA-covered and FTC Safeguards-covered businesses, the real story is what unpatched, internet-facing software says about your documented vulnerability management program.

On July 1, 2026, CISA added CVE-2026-45659, a remote code execution flaw in on-premises Microsoft SharePoint Server, to its Known Exploited Vulnerabilities (KEV) catalog. According to reporting from The Hacker News and BleepingComputer, the vulnerability carries a CVSS score of 8.8, requires only authenticated site-member access rather than administrative rights, and is confirmed under active exploitation in the wild. Microsoft shipped a fix in May 2026, and CISA's Binding Operational Directive 26-04 gave federal civilian agencies a three-day window, until July 4, to apply it.

Why This Matters for HIPAA and FTC Safeguards Businesses

On-premises SharePoint Server, not the cloud-hosted SharePoint Online, is still common in regional healthcare practices, insurance agencies, law firms, and financial-services back offices across our service area. If your business runs SharePoint Server for internal document sharing, client portals, or referral workflows, this vulnerability was sitting in your environment for weeks before CISA confirmed exploitation.

That gap between "patch available" and "patch applied" is precisely what regulators penalize. The HHS Office for Civil Rights has repeatedly cited the same root cause in HIPAA Security Rule enforcement actions: a failure to conduct an accurate and thorough risk analysis that identifies known vulnerabilities in systems handling protected health information, followed by a failure to remediate them on a documented timeline. The FTC Safeguards Rule imposes a parallel obligation on nonbanking financial institutions, mortgage brokers, auto dealers, and other covered entities: a written information security program that includes vulnerability management and timely patching of internet-facing systems.

An actively exploited, CISA-cataloged vulnerability is not a theoretical risk an auditor might ask about someday. It is the exact kind of documented, dated event that a HIPAA risk analysis or an FTC Safeguards annual report is supposed to capture, evaluate, and close out.

What This Means for Your Obligations

Start with an honest inventory. Confirm whether any server in your environment runs SharePoint Server (Subscription Edition, 2019, or Enterprise Server 2016) rather than SharePoint Online, and confirm which of those instances are internet-facing or reachable from a VPN. Most SMB environments have never fully documented this, and the CISA KEV catalog is a moving list that only matters if you know what is actually running.

Patch by exploitation status, not by a quarterly calendar. A general patch-management cadence that treats every update as equally urgent will always fall behind an actively exploited, internet-facing flaw. The CISA KEV catalog exists specifically to separate "important eventually" from "exploited now," and your patch process should treat it as a priority list, not background reading.

Document the finding and the remediation. HIPAA's risk analysis requirement and the FTC Safeguards Rule's written information security program both expect evidence, not memory. When a KEV entry applies to your environment, record when you identified it, when you applied the fix, and who verified it. That record is what turns a routine patch into demonstrated compliance.

Extend the same question to your vendors. If a third party hosts or manages your SharePoint environment, your risk analysis and your Safeguards program still need an answer for how that vendor handles known vulnerabilities in the systems touching your data, not just your own servers. HIPAA's business associate agreements and the FTC Safeguards Rule's oversight of service providers both assume you are asking, so confirm the answer rather than assuming it.

Loop in your managed IT or compliance partner immediately if you are unsure whether this affects you. Confirming exposure across every server, every internet-facing service, and every vendor-managed system takes real inventory work, and it is far better to confirm this in a controlled review than to discover it during a breach investigation or a cyber-insurance claim.

The Bottom Line

A single actively exploited vulnerability will not make or break your compliance posture on its own. What matters is whether your organization has a documented, working process for finding vulnerabilities like this one and closing them before an attacker does. If your last formal risk analysis or Safeguards review cannot answer that question with evidence, that is the gap worth fixing now, not after an incident. Cyber One Solutions helps HIPAA-covered and FTC Safeguards-covered businesses build and document that process through our HIPAA Security Rule compliance and compliance management services, backed by managed vulnerability and patch management that keeps internet-facing systems current before they land in a KEV catalog notice.

Sources