The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity remote code execution vulnerability, CVE-2026-45659 (CVSS 8.8), affecting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaw, a deserialization of untrusted data issue, was patched by Microsoft in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. An authenticated attacker with Site Member permissions can exploit it remotely without admin privileges. CISA mandates Federal Civilian Executive Branch agencies to apply fixes by July 4, 2026.
Additionally, Microsoft uncovered parallel threat activity from two clusters during a ransomware investigation. One cluster, Storm-2603, deploys Warlock ransomware by exploiting vulnerabilities in on-premises SharePoint servers since mid-2025. Initial access was likely via CVE-2025-11371 (CVSS 9.1) in Gladinet Triofox. The attacker used tools like Velociraptor, Cloudflare tunneling, Zoho Assist, SSH via Visual Studio Code, and the vulnerable driver NSecKrnl.sys to tamper with endpoint security. A second, unrelated threat actor co-existed in the same environment using DLL side-loading and custom backdoors, complicating attribution. The attackers moved laterally to a second organization, confirming compromise by Storm-2603. Microsoft emphasizes that isolated signals rarely tell the full story in complex intrusions.
CVEs: CVE-2026-45659, CVE-2025-11371, CVE-2026-20245
Attack groups: Storm-2603
Malware: Warlock ransomware
Companies: Microsoft, Cloudflare, Zoho, Gladinet
Products: SharePoint Server, Velociraptor, Visual Studio Code, NSecKrnl.sys, Gladinet Triofox
Original source: thehackernews.com