Connect with us

Security

Critical Vulnerability in SharePoint Leads to CISA Alert Following Active Exploitation

Published

on

The Cybersecurity and Infrastructure Security Agency (CISA) of the United States has identified a critical vulnerability in Microsoft SharePoint Server that is currently being actively exploited. This flaw, known as CVE-2026-45659 with a CVSS score of 8.8, allows for remote code execution due to the deserialization of untrusted data. Microsoft addressed this issue in May 2026 for various versions of SharePoint Server.

According to Microsoft, any authenticated attacker can exploit this vulnerability without requiring elevated privileges. An authenticated attacker with minimal permissions could use this flaw to execute code remotely on the SharePoint Server.

CISA has warned that this vulnerability poses a risk of unauthorized code execution over a network. Despite being classified as “Exploitation Less Likely” by Microsoft, the exact nature and purpose of the exploitation remain unknown.

In response to the active exploitation, Federal Civilian Executive Branch (FCEB) agencies are urged to apply the necessary patches by July 4, 2026.

Discovery of Multiple Threat Actors by Microsoft

Recent investigations by Microsoft have uncovered two distinct threat actors operating simultaneously within the same network, employing sophisticated techniques to maintain access and hinder incident response efforts.

One of the attacker clusters, known as Storm-2603, is responsible for deploying the Warlock ransomware through vulnerabilities in on-premises SharePoint servers since mid-2025. The initial access in this case is believed to have been attempted through the exploitation of CVE-2025-11371, a critical flaw affecting Gladinet Triofox.

After gaining initial access, the threat actor deployed tools like Velociraptor and established multiple remote access channels to maintain persistence in the compromised network. The attacker also escalated privileges and utilized a vulnerable driver to evade endpoint security measures.

See also  The Crucial Differences Between Vulnerability Scanning and Penetration Testing: A Must-Know for CISOs

In a separate discovery, Microsoft found evidence of a second threat actor using DLL side-loading and custom backdoors within the same environment. This overlapping activity complicated attribution and allowed the attackers to move laterally into a second organization.

The incident underscores the complexity of modern ransomware attacks, where multiple threat actors may operate in parallel within the same network. Security teams are advised to consider the interconnected nature of such attacks and look beyond isolated signals to understand the full scope of the intrusion.

Trending