The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently emphasized a significant security flaw affecting Microsoft SharePoint Server by adding it to its Known Exploited Vulnerabilities (KEV) catalog. This comes after evidence surfaced pointing to its active exploitation.
Details of the SharePoint Vulnerability
Identified as CVE-2026-45659, this vulnerability scores a 8.8 on the CVSS scale, highlighting its severity. The flaw is linked to remote code execution caused by the deserialization of untrusted data. Microsoft had previously patched this issue in May 2026, specifically for the SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
According to Microsoft’s advisories, the vulnerability can be triggered by any authenticated attacker without needing elevated privileges. A network-based attack can be initiated by an attacker with basic Site Member permissions to execute code remotely on the server.
Current Exploitation and Recommendations
CISA has noted Microsoft’s assessment that the likelihood of exploitation is low. However, details on the exploitation methods, responsible parties, or the objectives behind these activities remain undisclosed. Federal Civilian Executive Branch (FCEB) agencies have been instructed to implement the necessary fixes by July 4, 2026, to mitigate this risk.
Parallel Threat Activities Detected by Microsoft
In a related investigation, Microsoft discovered two separate threat actors operating within the same network. This finding arose during a routine ransomware probe, revealing that these actors used sophisticated methods to maintain access and complicate response efforts.
One group, identified as Storm-2603, is known for using the Warlock ransomware. They have been exploiting known vulnerabilities in on-premises SharePoint servers since mid-2025. Their initial access attempts involved probing for local file inclusion vulnerabilities, potentially through CVE-2025-11371. Post-access, the attackers deployed tools to blend malicious activities with legitimate ones and created multiple remote access channels.
Simultaneously, another unrelated actor was detected using different techniques such as DLL side-loading. This overlap made attribution challenging and highlighted the complexity of cyber threats.
Conclusion and Future Outlook
The overlapping threat activities have shown how a single incident can evolve into a multi-faceted threat involving various actors and tactics. This underscores the importance for cybersecurity teams to look beyond isolated signals and consider the broader context of security incidents.
