FINANCE & RISK DESK · HONG KONG · WEEKLY

SharePoint 2016/2019 Lose Patches July 14

CISA's three-day patch order on a new SharePoint flaw looks routine, but the vendor's support cliff nine days later turns it into a capex decision that CFOs are not budgeting for.
MH

The clock nobody set

Here's the timeline. CISA, the US Cybersecurity and Infrastructure Security Agency, added a new SharePoint flaw, CVE-2026-45659, to its list of bugs known to be exploited in the wild on July 1. That listing automatically triggers a rule called Binding Operational Directive 26-04, which forces US federal agencies to fix listed bugs by a deadline. Here, the deadline is July 4. Three days. Why the rush? Because of who can use this bug. An attacker needs only the lowest level of file access, no admin rights at all, to run their own code on the server. That earns it a severity score of 8 out of 10: easy to reach, and once you're in, you have a lot of control. Microsoft actually patched this back in May, outside its normal monthly update cycle, because it judged the flaw too urgent to wait for. And yet Microsoft's own advisory rates it 'Exploitation Less Likely.' So why is CISA fast-tracking a bug the vendor itself says probably won't be exploited? There are only two explanations. Either CISA knows about active attacks it hasn't said out loud, or the agency is still flinching from last July, when a hacking chain called 'ToolShell' tore through on-premises SharePoint servers worldwide. Microsoft named the attackers then: Chinese state-linked crews Linen Typhoon and Violet Typhoon, plus a ransomware outfit called Storm-2603. Now it's the second July running with a SharePoint bug on the same watchlist. Linen Typhoon and Violet Typhoon don't need a new plan to try SharePoint again. They just need CISA's three-day clock to slip past July 4.

The bill comes due

Here's the part that turns this from an IT ticket into a finance problem. SharePoint Server 2016 and 2019, the versions companies run on their own servers rather than in Microsoft's cloud, lose all support on July 14. That's just thirteen days after the bug landed on the watchlist. After July 14, Microsoft ships no more patches for those versions. Ever. No matter what security hole turns up in the code next. So any company still running that setup has two choices this quarter: migrate to SharePoint Online, the cloud version Microsoft actually keeps maintaining, or keep running servers that will fail cyber-insurance underwriting and compliance audits (SOC2, HIPAA) the moment an auditor asks how current the patches are. An unpatchable server can't answer that question. That makes this a capital spending decision, not a maintenance chore, and it's due before most finance teams have even opened the file. The timing is almost comic. Deloitte's Q1 2026 CFO Signals survey, its quarterly poll of finance chiefs on what keeps them up at night, found cyber concern has dropped to 37%, down from a top-tier worry all through 2025, while supply-chain disruption climbed to the top external concern at 52%. Worth remembering: Deloitte runs this survey partly to sell CFOs on hiring Deloitte to worry about cyber for them, so a falling cyber number is also a shrinking pitch for its own services. Read plainly, the number means the CFOs least likely to have budgeted for this SharePoint migration are exactly the ones who just told Deloitte they'd stopped worrying about cyber. And in case anyone needed a reminder that the exposure isn't only about which software a company picked: Medtronic disclosed a breach affecting 3.8 million people the same quarter.

Nine days separate the two deadlines: July 4 for the patch, July 14 for the phone going dead on SharePoint 2016 and 2019 support. Whoever signs off on the migration budget has to do it inside that window, not after. Everyone patched ToolShell last year and called it handled. Nobody budgeted for the sequel.

PREVIOUS COLUMNS, FINANCE & RISK DESK
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.