Cybersecurity

CISA adds microsoft sharepoint server vulnerability to exploited list as parallel ransomware attacks emerge

CISA flags CVE-2026-45659 under active exploitation, urging federal agencies to patch by July 4, 2026. Microsoft details parallel Storm-2603 and unknown actor activity using sharepoint vulnerabilities and tunneling tools.

Emmanuel Fabrice Omgbwa Yasse

2026-07-02 · 3 min read

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw in Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence that it's being actively exploited in the wild.

The vulnerability, tracked as CVE-2026-45659 and carrying a CVSS score of 8.8, is a remote code execution bug rooted in the deserialization of untrusted data. Microsoft patched the issue in May 2026 across SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.

The company noted that any authenticated attacker, not just those with admin or elevated privileges, could pull the trigger. In a network-based attack, an authenticated user with at least Site Member permissions (PR:L) could exploit it to run code remotely on the SharePoint Server.

"Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability which allows an authorized attacker to execute code over a network," CISA said.

According to Microsoft's advisory, the flaw carries an "Exploitation Less Likely" assessment. It's still unclear how attackers are exploiting it, who's behind the activity, or what their ultimate aim is.

Given the active exploitation, Federal Civilian Executive Branch (FCEB) agencies have until July 4, 2026, to apply the fixes.

Microsoft uncovers parallel threat activity from two clusters

Late last month, Microsoft revealed that a routine ransomware investigation had turned up something unusual: two unrelated attackers operating simultaneously within the same network, each using deliberate techniques to secure persistent access and complicate incident response.

One set of attacks has been pinned on Storm-2603, a threat actor known for deploying Warlock ransomware, often by exploiting known vulnerabilities in on-premises SharePoint servers, a tactic in use since mid-2025.

"In this case, initial access was likely attempted through a separate vulnerability, with requests for files like win.ini and web.config, indicating probing for local file inclusion," Microsoft said. Evidence points to CVE-2025-11371 (CVSS score: 9.1), a critical flaw in Gladinet Triofox.

Once inside, the threat actor deployed tools like Velociraptor to blend malicious activity with trusted administrative behavior, and set up multiple remote access channels through Cloudflare tunneling, Zoho Assist, and Secure Shell (SSH) connections configured via Visual Studio Code.

The attack also escalated privileges by creating new local and domain administrator accounts, while a vulnerable driver ("NSecKrnl.sys") served as a conduit to tamper with endpoint security protections and reduce visibility.

At the same time, Microsoft said it found signs of a second, unrelated threat actor co-existing in the same environment, using DLL side-loading and custom backdoors, making attribution far more difficult.

Further digging revealed that the attackers had moved laterally from the first network into a second organization, confirming that the second victim had also been hit by the same ransomware activity attributed to Storm-2603.

"Together, these overlapping activity streams enabled sustained access while masking the full scope of the intrusion," the Microsoft Incident Response team said. "The blend of known ransomware tactics and hidden techniques allowed the threat actors to establish deep and lasting access."

"What may appear to be a single ransomware incident can quickly expand into something more complex-spanning organizations, blending tactics, and even involving multiple threat actors operating in parallel. For security teams, the implication is clear: isolated signals rarely tell the full story."