CISA has added a SharePoint remote code execution flaw to its Known Exploited Vulnerabilities catalog after confirming active exploitation, months after Microsoft rated it less likely to be attacked. The bug (CVE-2026-45659, CVSS 8.8) comes from unsafe deserialization of untrusted data and lets an authenticated attacker with only Site Member permissions run code on a SharePoint server over the network, with low complexity and no user interaction. Microsoft patched it in May for SharePoint Server Subscription Edition, 2019, and Enterprise 2016. On-premises SharePoint is a repeated target because it holds sensitive data and is often internet-facing, and it has a long history of weaponized code execution flaws.
The US Department of Homeland Security has confirmed a breach of the Homeland Security Information Network, an unclassified but sensitive platform that federal, state, local, and private-sector partners use to share threat information and coordinate operations. The intrusion is believed to have happened between late May and early June, and according to reporting, the attackers targeted HSIN servers and an associated SharePoint collaboration system. DHS says it isolated the affected systems, that classified networks were not touched, and that the platform remains operational, but it has not attributed the attack or confirmed whether documents were stolen. Even without confirmed theft, compromising this coordination hub is operationally significant.
Microsoft has released an out-of-band patch for CVE-2026-45659, a remote code execution vulnerability in Microsoft SharePoint Server. The flaw is a deserialization issue and was reported privately by a researcher named MEOW; Microsoft says it is not currently aware of active exploitation but rates it 'less likely to be exploited.' Updates are available for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Last month's CVE-2026-32201 spoofing flaw was actively exploited and machine-key-theft attacks against SharePoint were widespread in 2025, so admins should treat this patch as priority despite the lower-likelihood rating.
The Pwn2Own Berlin 2026 contest wrapped up Saturday at OffensiveCon, paying out $1,298,250 for 47 unique zero-days across three days. Taiwan's DEVCORE took the Master of Pwn title with 50.5 points and $505,000 in winnings. The headline Day 3 result came from DEVCORE researcher splitline, who chained two bugs into a successful exploit of Microsoft SharePoint, earning $100,000 and 10 points. SharePoint had survived a failed Rapid7 attempt on Day 2, making this a notable late-contest catch. Day 3 also saw attempts against VMware ESXi, Windows 11, Red Hat Enterprise Linux, and OpenAI Codex. All disclosed bugs now enter ZDI's 90-day disclosure window.
Palo Alto's Unit 42 and the Retail & Hospitality ISAC outed a new financially-motivated group tracked as BlackFile (CL-CRI-1116, UNC6671, Cordial Spider) running data-theft extortion against retail and hospitality since February 2026 with seven-figure ransoms. The playbook: spoofed-VoIP vishing, attackers posing as IT helpdesk, victims routed to phishing pages capturing Microsoft Entra/Okta/Google SSO credentials, attackers then register their own devices to bypass MFA and pivot into Salesforce and SharePoint. Unit 42 links the group to 'The Com' and notes it has used swatting against non-paying victims. TTPs overlap heavily with ShinyHunters and Scattered Spider.
Shadowserver data shows 1,300+ internet-exposed Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing flaw Microsoft confirmed as a zero-day and CISA added to its Known Exploited Vulnerabilities catalog the same day the fix dropped in April Patch Tuesday. Fewer than 200 systems have been patched since the update shipped last week. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. An unauthenticated attacker can perform network spoofing through improper input validation in a low-complexity attack that needs no user interaction, letting them view sensitive information and modify data, though not affect availability. Microsoft has not described the exploitation technique or attributed the attacks to a specific group, which is unusual for a zero-day and hints at an ongoing investigation. CISA ordered federal agencies to patch by April 28 under Binding Operational Directive 22-01, and given ongoing in-the-wild abuse, private-sector operators should treat that as their own deadline. SharePoint's habit of holding cached Office 365 tokens, SharePoint-signed refresh tokens, and IP on sensitive business processes makes any compromise a serious lateral-movement foothold, not a minor information disclosure.