CISA Sounds the Alarm: Actively Exploited Microsoft SharePoint and Fortinet Flaws Demand Immediate Action + Video

Listen to this Post

Featured ImageIntroduction: A New Wave of Critical Cyber Threats

Cybersecurity teams across the world are once again facing an urgent challenge. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding several high-risk vulnerabilities affecting Microsoft SharePoint and Fortinet FortiSandbox. The decision was not made lightly. These flaws are already being exploited in real-world attacks, making them immediate priorities for government agencies, enterprises, and private organizations alike.

The latest update follows

For security professionals, this is another reminder that patch management is no longer a routine maintenance task. It has become a race against cybercriminals who rapidly weaponize newly disclosed vulnerabilities.

CISA Expands the Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency officially added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation.

The KEV catalog serves as one of the most trusted warning systems in the cybersecurity industry. Once a vulnerability appears in this list, organizations should assume attackers are actively searching for vulnerable systems.

This

Microsoft SharePoint Server

Fortinet FortiSandbox

The inclusion means these vulnerabilities have moved beyond theoretical risks. They are now active attack vectors being used against organizations.

Microsoft SharePoint Remote Code Execution Becomes an Immediate Threat

One of the most serious vulnerabilities added to the catalog is CVE-2026-58644, a remote code execution (RCE) flaw affecting Microsoft SharePoint Server.

Microsoft fixed the issue during its July 2026 Patch Tuesday release, but the company also confirmed that attackers are already exploiting the vulnerability in the wild.

The flaw originates from insecure deserialization of untrusted data.

Improper handling of serialized objects allows attackers to manipulate application behavior and potentially execute malicious code on vulnerable servers.

Although exploitation requires Site Owner privileges inside SharePoint, obtaining those privileges through phishing, stolen credentials, or insider compromise is not uncommon for sophisticated attackers.

Once attackers gain sufficient permissions, they can remotely execute arbitrary code on SharePoint servers, potentially leading to complete server compromise.

Why Deserialization Vulnerabilities Are So Dangerous

Deserialization vulnerabilities have remained one of the most dangerous classes of software weaknesses for years.

Applications frequently serialize data for storage or communication between systems. If applications blindly trust incoming serialized objects, attackers can craft malicious payloads that force the application to execute unintended commands.

Unlike simple input validation flaws, deserialization attacks often bypass traditional security controls because they abuse trusted application logic.

For enterprise collaboration platforms such as SharePoint, this creates an especially dangerous situation since these servers often contain sensitive corporate documents, internal communications, authentication systems, and business workflows.

Fortinet FortiSandbox Faces Two Critical Command Injection Vulnerabilities

CISA also added two severe Fortinet vulnerabilities to the KEV Catalog.

The first vulnerability, CVE-2026-25089, allows remote attackers to execute arbitrary operating system commands through specially crafted HTTP requests.

Even more concerning, exploitation does not require authentication.

The vulnerability was discovered by Adham El Karn from Fortinet’s Product Security Team.

Because no valid login credentials are needed, internet-facing FortiSandbox appliances become attractive targets for automated scanning and mass exploitation.

Second FortiSandbox Flaw Also Under Active Exploitation

Another vulnerability, CVE-2026-39808, affects Fortinet FortiSandbox through improper neutralization of operating system command elements.

This classic OS command injection vulnerability enables attackers to execute unauthorized commands by sending carefully crafted HTTP requests.

Security researchers at Defused Cyber reported observing active exploitation within only 24 hours of public disclosure.

That rapid timeline demonstrates how quickly attackers integrate newly disclosed vulnerabilities into automated attack frameworks.

Organizations delaying updates even by a single day may expose themselves to serious compromise.

How OS Command Injection Works

Operating system command injection remains one of the oldest yet most dangerous software vulnerabilities.

Applications sometimes pass user-controlled input directly into operating system commands without sufficient validation.

If attackers successfully inject additional commands, they effectively gain the application’s operating system privileges.

This may allow attackers to:

Install malware

Create administrator accounts

Download ransomware

Disable security software

Steal confidential information

Establish long-term persistence

Because FortiSandbox often analyzes suspicious files and malware samples, compromising these systems could provide attackers with valuable intelligence regarding an organization’s security operations.

Microsoft’s July 2026 Patch Tuesday Continues to Reveal Major Security Challenges

The SharePoint vulnerability arrives during one of

The July 2026 security updates addressed hundreds of vulnerabilities across Windows, Microsoft Office, SharePoint, Azure components, and numerous enterprise services.

Security professionals have repeatedly emphasized that attackers closely monitor Patch Tuesday releases.

Once patches become public, reverse engineering frequently reveals exactly what vulnerability was fixed, allowing criminals to create exploits targeting organizations that delay updates.

This shortens the window between disclosure and active attacks dramatically.

Federal Agencies Ordered to Patch Immediately

Under Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies must remediate every vulnerability listed in the KEV Catalog before the required deadline.

For these newly added vulnerabilities, CISA established July 19, 2026 as the mandatory remediation deadline.

Failure to comply places federal systems at increased risk of compromise and could expose critical government infrastructure to attackers.

Although the directive directly applies only to federal agencies, cybersecurity experts strongly encourage private organizations to follow the same timeline whenever feasible.

Private Organizations Should Not Ignore the KEV Catalog

Many businesses mistakenly believe CISA guidance only applies to government organizations.

In reality, the KEV Catalog has become one of the industry’s most valuable resources for vulnerability prioritization.

Organizations often struggle with thousands of outstanding security patches.

The KEV list helps security teams focus on vulnerabilities already confirmed to be exploited by real attackers.

Instead of attempting to patch everything simultaneously, defenders can prioritize vulnerabilities presenting the highest immediate risk.

This significantly improves vulnerability management efficiency while reducing overall exposure.

Deep Analysis

Technical Breakdown of the SharePoint Exploit

The SharePoint vulnerability centers around insecure object deserialization. Attackers who obtain sufficient SharePoint permissions can abuse serialized objects to trigger remote code execution on the underlying Windows server.

Security teams should inspect SharePoint logs for unusual object processing events, suspicious administrative activities, unexpected PowerShell execution, and abnormal IIS requests.

Useful investigation commands include:

Get-HotFix

Get-WinEvent -LogName Security -MaxEvents 100

Get-Process
Get-Service
Get-ChildItem "C:\inetpub\logs\LogFiles" -Recurse

net user

whoami /all

Investigating FortiSandbox Appliances

Administrators should immediately determine whether FortiSandbox appliances are internet-facing and verify firmware versions.

Useful commands include:

show system status

diagnose hardware sysinfo

execute backup config

get system performance status

Review appliance logs for:

Unexpected HTTP POST requests

Unknown administrator sessions

New scheduled tasks

Suspicious shell execution

Configuration modifications

Organizations should also isolate compromised appliances before performing forensic analysis.

General Incident Response Recommendations

Security teams should immediately perform several defensive actions:

Patch affected systems

Review administrator accounts

Reset privileged credentials

Enable multi-factor authentication

Audit SharePoint permissions

Review firewall exposure

Monitor outbound traffic

Deploy Endpoint Detection and Response (EDR)

These proactive measures significantly reduce the chances of successful follow-up attacks after initial exploitation attempts.

What Undercode Say

The newest KEV additions illustrate a pattern that has become increasingly common over the last several years. Enterprise collaboration platforms and security appliances have become primary targets because compromising them provides attackers with immediate access to valuable infrastructure. SharePoint hosts sensitive corporate information, while FortiSandbox often sits in privileged security environments analyzing malware and network threats. Successfully compromising either platform can provide an attacker with an advantageous position inside an organization’s network.

Another important observation is the shrinking time between vulnerability disclosure and exploitation. Defused Cyber reported active exploitation of one Fortinet vulnerability within just 24 hours. This demonstrates that cybercriminal groups now maintain highly automated exploitation pipelines capable of integrating newly disclosed vulnerabilities almost immediately. Organizations that rely on monthly maintenance cycles are increasingly falling behind this accelerated threat landscape.

The SharePoint vulnerability also reinforces the persistent dangers of insecure deserialization. Despite years of security awareness, this weakness continues to appear in enterprise software because serialization mechanisms remain deeply embedded within application architectures. Fixing these issues often requires substantial code redesign rather than simple input validation.

Fortinet’s command injection flaws highlight another recurring trend: network security appliances themselves have become high-value attack targets. Firewalls, sandboxes, VPN gateways, and remote management platforms frequently operate with elevated privileges, making them attractive objectives for both ransomware operators and state-sponsored groups.

The KEV Catalog should no longer be viewed merely as a compliance checklist. Instead, it functions as an intelligence-driven priority list reflecting real attacker behavior. Organizations that continuously monitor KEV updates gain a significant defensive advantage by patching vulnerabilities that are actively being exploited instead of relying solely on severity scores.

Security leaders should also recognize that vulnerability management extends beyond patch deployment. Effective defense requires continuous asset discovery, exposure management, privileged access control, endpoint monitoring, and rapid incident response. Many successful breaches occur not because a patch was unavailable, but because organizations lacked visibility into affected systems or delayed deployment due to operational concerns.

Finally, these incidents emphasize the importance of layered security. Even if attackers exploit an application vulnerability, strong segmentation, least-privilege access, multifactor authentication, behavioral monitoring, and endpoint detection can significantly limit the damage. Cybersecurity is increasingly about reducing the attacker’s ability to move laterally after initial compromise, rather than relying on a single protective measure.

Prediction

(+1) Cybersecurity maturity is expected to improve as organizations increasingly automate vulnerability management, adopt continuous exposure monitoring, and integrate threat intelligence such as the KEV Catalog into daily operations. While attackers will continue exploiting newly disclosed flaws, enterprises that prioritize rapid patching, zero-trust architectures, and AI-assisted threat detection will significantly reduce successful compromises over the coming years.

✅ Fact: CISA added Microsoft SharePoint and Fortinet FortiSandbox vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog because they are being actively exploited.

✅ Fact: Microsoft confirmed active exploitation of CVE-2026-58644, while security researchers observed exploitation of the Fortinet vulnerabilities shortly after disclosure, reinforcing the urgency of immediate patching.

✅ Fact: CISA directed U.S. federal agencies to remediate these vulnerabilities by July 19, 2026, and cybersecurity experts broadly recommend that private organizations apply the same urgency to protect their infrastructure.

▶️ Related Video (80% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube