Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: sharepoint (6 articles)Clear

SharePoint remote code execution flaw added to CISA KEV after active exploitation

CISA has added a SharePoint remote code execution flaw to its Known Exploited Vulnerabilities catalog after confirming active exploitation, months after Microsoft rated it less likely to be attacked. The bug (CVE-2026-45659, CVSS 8.8) comes from unsafe deserialization of untrusted data and lets an authenticated attacker with only Site Member permissions run code on a SharePoint server over the network, with low complexity and no user interaction. Microsoft patched it in May for SharePoint Server Subscription Edition, 2019, and Enterprise 2016. On-premises SharePoint is a repeated target because it holds sensitive data and is often internet-facing, and it has a long history of weaponized code execution flaws.

Check
Confirm the May 2026 SharePoint updates are applied to all on-premises servers, restrict internet exposure, and hunt for web shells, unexpected scheduled tasks, and unauthorized file changes on internet-facing SharePoint.
Affected
On-premises SharePoint Server Subscription Edition, 2019, and Enterprise 2016 missing the May 2026 patch (CVE-2026-45659); any authenticated user with Site Member permissions can run code remotely on the server.
Fix
Apply Microsoft's May 2026 SharePoint updates now, limit SharePoint to trusted networks or a VPN, tighten privileged access, and run a compromise assessment on internet-facing servers given confirmed exploitation.

DHS confirms breach of unclassified Homeland Security information-sharing network

The US Department of Homeland Security has confirmed a breach of the Homeland Security Information Network, an unclassified but sensitive platform that federal, state, local, and private-sector partners use to share threat information and coordinate operations. The intrusion is believed to have happened between late May and early June, and according to reporting, the attackers targeted HSIN servers and an associated SharePoint collaboration system. DHS says it isolated the affected systems, that classified networks were not touched, and that the platform remains operational, but it has not attributed the attack or confirmed whether documents were stolen. Even without confirmed theft, compromising this coordination hub is operationally significant.

Check
Organizations that connect to or share data through HSIN should watch for follow-on phishing or misuse of any exposed coordination data, and confirm the security of their own SharePoint collaboration systems.
Affected
Federal, state, local, and private-sector partners who use HSIN to share sensitive information; the breach hit HSIN servers and a linked SharePoint system, though data theft is not confirmed.
Fix
Patch and harden SharePoint and other collaboration platforms, segment sensitive information-sharing systems, enforce phishing-resistant MFA, and monitor for unusual access, given attackers are actively targeting SharePoint and coordination hubs.

Microsoft issues out-of-band SharePoint RCE patch CVE-2026-45659 for Subscription Edition, 2019, and 2016 servers

Microsoft has released an out-of-band patch for CVE-2026-45659, a remote code execution vulnerability in Microsoft SharePoint Server. The flaw is a deserialization issue and was reported privately by a researcher named MEOW; Microsoft says it is not currently aware of active exploitation but rates it 'less likely to be exploited.' Updates are available for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Last month's CVE-2026-32201 spoofing flaw was actively exploited and machine-key-theft attacks against SharePoint were widespread in 2025, so admins should treat this patch as priority despite the lower-likelihood rating.

Check
Inventory SharePoint deployments by edition (Subscription, 2019, 2016) and confirm patch level. Check for unusual deserialization activity in IIS logs since the patch ships.
Affected
Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 prior to the May 26 out-of-band updates.
Fix
Apply Microsoft's out-of-band CVE-2026-45659 patches across all SharePoint versions. Rotate machine keys after patching - prior SharePoint key-theft incidents enabled persistent post-patch access.

Pwn2Own Berlin Day 3: DEVCORE wins Master of Pwn ($505K), SharePoint falls in 2-bug chain, $1.298M total

The Pwn2Own Berlin 2026 contest wrapped up Saturday at OffensiveCon, paying out $1,298,250 for 47 unique zero-days across three days. Taiwan's DEVCORE took the Master of Pwn title with 50.5 points and $505,000 in winnings. The headline Day 3 result came from DEVCORE researcher splitline, who chained two bugs into a successful exploit of Microsoft SharePoint, earning $100,000 and 10 points. SharePoint had survived a failed Rapid7 attempt on Day 2, making this a notable late-contest catch. Day 3 also saw attempts against VMware ESXi, Windows 11, Red Hat Enterprise Linux, and OpenAI Codex. All disclosed bugs now enter ZDI's 90-day disclosure window.

Check
Subscribe to the ZDI advisory feed at zerodayinitiative.com/advisories. Identify SharePoint, VMware ESXi, Windows 11, RHEL, and Codex deployments that may need urgent patches over the next 90 days.
Affected
Microsoft SharePoint, VMware ESXi, Windows 11, Red Hat Enterprise Linux, and OpenAI Codex - all targeted at Pwn2Own Berlin 2026 (47 unique zero-days disclosed May 14-16).
Fix
Apply vendor patches the moment ZDI advisories ship and fixes land. Prioritize internet-facing SharePoint and ESXi instances. Until then, restrict access to management interfaces.

New extortion group 'BlackFile' running seven-figure ransom campaigns against retail and hospitality via vishing-driven SSO compromise and Salesforce/SharePoint scraping

Palo Alto's Unit 42 and the Retail & Hospitality ISAC outed a new financially-motivated group tracked as BlackFile (CL-CRI-1116, UNC6671, Cordial Spider) running data-theft extortion against retail and hospitality since February 2026 with seven-figure ransoms. The playbook: spoofed-VoIP vishing, attackers posing as IT helpdesk, victims routed to phishing pages capturing Microsoft Entra/Okta/Google SSO credentials, attackers then register their own devices to bypass MFA and pivot into Salesforce and SharePoint. Unit 42 links the group to 'The Com' and notes it has used swatting against non-paying victims. TTPs overlap heavily with ShinyHunters and Scattered Spider.

Check
Brief IT helpdesk staff this week on the BlackFile vishing pattern and run a tabletop on a help-desk-driven SSO compromise of one named individual.
Affected
Retail and hospitality are named target sectors but the playbook is industry-agnostic. Acute risk: any organization where helpdesk staff can re-enroll MFA devices over the phone without out-of-band caller verification. SaaS environments where users can perform bulk Salesforce report exports, SharePoint downloads, or Microsoft Graph queries without secondary controls.
Fix
Require manager confirmation on a separate channel for any MFA or password reset on high-privilege accounts. Disable phone-based helpdesk MFA reset for accounts with bulk-data access. In Okta and Entra, alert on new device registrations from unseen locations. In Salesforce, scope bulk export rights via Permission Set Groups and alert on Bulk API usage outside business hours.

Over 1,300 SharePoint servers still exposed to ongoing spoofing attacks a week after Microsoft's patch (CVE-2026-32201)

Shadowserver data shows 1,300+ internet-exposed Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing flaw Microsoft confirmed as a zero-day and CISA added to its Known Exploited Vulnerabilities catalog the same day the fix dropped in April Patch Tuesday. Fewer than 200 systems have been patched since the update shipped last week. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. An unauthenticated attacker can perform network spoofing through improper input validation in a low-complexity attack that needs no user interaction, letting them view sensitive information and modify data, though not affect availability. Microsoft has not described the exploitation technique or attributed the attacks to a specific group, which is unusual for a zero-day and hints at an ongoing investigation. CISA ordered federal agencies to patch by April 28 under Binding Operational Directive 22-01, and given ongoing in-the-wild abuse, private-sector operators should treat that as their own deadline. SharePoint's habit of holding cached Office 365 tokens, SharePoint-signed refresh tokens, and IP on sensitive business processes makes any compromise a serious lateral-movement foothold, not a minor information disclosure.

Check
Inventory every on-premises SharePoint instance in your environment (including dev and staging that may be exposed to the internet) and verify that the April 2026 Patch Tuesday update for CVE-2026-32201 is installed.
Affected
SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition (the 'continuous update' on-premises edition) without the April 2026 security update.
Fix
Install the April 2026 Patch Tuesday security updates for each affected SharePoint version. If a server cannot be patched immediately, pull it off the public internet and put it behind a VPN or Zero Trust gateway, and monitor authentication logs for unexpected token-generation patterns. After patching, audit the last 10 days of SharePoint auth logs and any connected Office 365 federated token issuance for anomalies, since the patch will not retroactively invalidate tokens minted during exploitation.