July 6, 2026

SharePoint Exploit Is Active. Patch It Now.

SharePoint Exploit Is Active. Patch It Now.

This One Is Being Actively Exploited Right Now

CISA just added a new Microsoft SharePoint Server vulnerability to its Known Exploited Vulnerabilities catalog. That catalog isn't a theoretical watch list. It means someone, somewhere, is actively using this flaw to break into systems. The CVE in question involves deserialization of untrusted data, which is a category of vulnerability that can give an attacker full control of the affected server.

Full control. Not read access, not a data peek. The whole machine.

If you're running SharePoint Server on-premises, this needs your attention today, not at the next scheduled maintenance window.

Who Actually Needs to Worry

There's an important split here. If your business uses SharePoint through Microsoft 365, meaning the cloud version, Microsoft patches that on their end. You don't manage the underlying server. You're not exposed in the same way.

The risk is with on-premises SharePoint Server installations. These are common in mid-size companies that built out their own file sharing or intranet years ago and never migrated to the cloud. I see this a lot with NJ manufacturers, law firms, and financial services offices that stood up SharePoint 2016 or 2019 and just left it running.

If you're not sure which one you have, that's worth finding out before you do anything else.

What the Deserialization Attack Actually Does

Without getting too deep into it, deserialization vulnerabilities happen when an application processes data it receives from outside without properly verifying it first. An attacker can craft a malicious payload, send it to the server, and the server executes it thinking it's legitimate. On SharePoint, that means code execution on the server itself.

These aren't phishing attacks that need a user to click something. An attacker who can reach your SharePoint server over the network can potentially exploit this without any employee involvement at all. That's what makes it serious.

The Patch Exists. Apply It.

Microsoft has released a security update for this. The fix is available. This isn't a situation where you're waiting on a vendor. You just need to get it deployed.

For on-premises SharePoint, that means logging into your server, checking Windows Update or the Microsoft Update Catalog, and applying the relevant cumulative update for your SharePoint version. SharePoint updates can be a little more involved than a standard Windows patch because they often require running the SharePoint Products Configuration Wizard after installation. Skipping that step is a common mistake that leaves the patch incomplete.

Give yourself an hour, maybe two, and plan for a brief service interruption while the update runs.

Check Whether You Were Already Hit

CISA's guidance on vulnerabilities like this specifically calls out the need to check for compromise before assuming a patch is enough. If the flaw was exploited before you patched it, cleaning up the server without investigating means the attacker may still have a foothold.

Look at your SharePoint server's event logs and IIS logs from the past few weeks. Unusual POST requests to the SharePoint web services endpoints, new accounts created with admin rights, or unexpected scheduled tasks are all things worth checking. If you don't have a SIEM or centralized logging in place, this kind of review is harder, but it's still worth doing manually.

When in doubt, treat it as a potential incident and investigate before moving on.

The Bigger Picture for Small Business IT

Most small businesses don't have someone monitoring CISA's KEV catalog. That's fine, that's not realistic for a 40-person company. But it does mean you need a process that catches these things quickly, whether that's a managed patching service, a weekly check-in with your IT person, or alerts from your RMM tool if you're using one.

Vulnerabilities with active exploitation don't wait. The window between public disclosure and widespread attack attempts is measured in days now, sometimes hours.

If you're running SharePoint Server on-premises and you're not sure when it was last patched, that's the thing to fix this week. If you want help figuring out your exposure or getting the update deployed cleanly, Exine works with NJ businesses on exactly this kind of thing.

Tomasz Sobolewski, founder of Exine LLC
About the author
Tomasz Sobolewski
Founder of Exine LLC. Hands-on IT, cybersecurity and backup for growing New Jersey businesses, with 15+ years in the field. The kind of support that knows your systems and picks up the phone.