SharePoint Is Being Actively Exploited Right Now. Is Yours Patched?

Podcast

SharePoint Is Being Actively Exploited Right Now. Is Yours Patched?

Two confirmed threats landed in the intelligence feed this week that are directly relevant to UK small businesses. One involves software you almost certainly use. The other signals a shift in how ransomware attacks are being conducted. Neither is theoretical.

Let’s go through them cleanly.

SharePoint Is Being Actively Exploited. Right Now.

On 1 July 2026, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalogue. That is the list CISA maintains of vulnerabilities confirmed to be actively exploited in the wild, not hypothetically dangerous, actually being used against real targets.

The vulnerability is in Microsoft SharePoint. It allows an attacker with at least basic site member permissions to execute arbitrary code on the SharePoint server. The technical mechanism is deserialisation of untrusted data, which means the server can be tricked into running malicious code that arrives disguised as legitimate data.

Microsoft patched it in May. Then, by their own admission, failed to publish the security bulletin until 21 May, several weeks after the fix shipped. In that window, organisations running SharePoint had no way of knowing the patch was relevant to a specific, exploitable vulnerability.

Microsoft’s own pre-publication assessment was that exploitation was “less likely.” CISA’s KEV listing confirms that assessment was wrong.

Why this matters to a 20-person UK business.

SharePoint is embedded in Microsoft 365. If your business uses Teams, OneDrive, or SharePoint Online, Microsoft handles patching on the cloud-hosted side. That is not the concern here.

The concern is on-premises SharePoint deployments and SharePoint servers managed by MSPs. These require manual patching. If your IT provider has not applied the May patch cycle, your SharePoint server is vulnerable to a flaw that is confirmed to be under active attack.

The question you need answered before the end of today: has CVE-2026-45659 been patched on every SharePoint server in your environment? If your MSP cannot answer that question with certainty, that is information worth having.

AI-Automated Ransomware Is No Longer Theoretical

Sysdig’s Threat Research Team published findings this week on an operator they track as JADEPUFFER. Their assessment is that this represents the first documented ransomware attack run from start to finish by an AI agent, without a human operator directing each stage manually.

The attack exploited CVE-2025-3248, a remote code execution vulnerability in Langflow. Langflow is an open-source tool used to build AI applications. It is the kind of software that might be running in a small business’s development environment, or on a cloud instance stood up by a developer who has since left the company.

From initial access through the Langflow vulnerability, the AI agent conducted credential theft, moved laterally through the compromised environment, encrypted data, and wiped the database. Each stage flowed into the next without manual intervention.

The practical implication is a change in the economics of ransomware. Human operators are expensive. AI agents are not. The volume of attacks that can be conducted simultaneously increases when the bottleneck of human time is removed.

For a small business, this means the calculus that previously suggested you were too small to be worth a ransomware operator’s time is becoming less reliable. Automated attacks do not make judgements about target size. They scan, find vulnerabilities, and execute.

The FortiBleed Connection: Credential Theft Feeding Ransomware Pipelines

A third data point from this week’s intelligence is worth noting alongside the above.

SOCRadar published analysis linking the FortiBleed credential theft campaign to INC and Lynx ransomware operations. FortiBleed exploited vulnerabilities in Fortinet FortiGate devices, the network security appliances used by many SMBs and their MSPs. The campaign resulted in 354 confirmed intrusions and at least 12 confirmed ransomware deployments.

FortiGate devices are popular precisely because they are marketed as accessible enterprise-grade security for smaller organisations. That positioning means the attack surface includes businesses that believed they had invested in proper protection.

Credentials stolen from network devices do not sit unused. They are verified, traded, and sold to ransomware affiliates. The FortiBleed timeline illustrates how quickly that pipeline operates.

If your organisation uses Fortinet equipment, and particularly if that equipment is managed by an MSP, the question of whether FortiGate firmware has been kept current is worth raising explicitly.

Why This Gives You an Edge

The businesses that will navigate this threat environment well are not the ones with the largest security budgets. They are the ones asking the right questions of their IT providers and acting on the answers.

Knowing that CVE-2026-45659 is on CISA’s KEV list, and knowing what that means, puts you ahead of the majority of small business owners who will hear about SharePoint exploitation after it has affected someone they know.

The same applies to AI-automated attacks. Understanding that the volume and speed of ransomware attacks is increasing because of automation changes how you think about your backup strategy. An offline backup that cannot be reached by an automated process is not a nice-to-have. It is the difference between a recoverable incident and a catastrophic one.

Clients and procurement teams are increasingly asking suppliers about cyber security posture. Being able to articulate that you monitor threat intelligence, patch on a defined schedule, and maintain tested offline backups is a differentiated position in most SMB markets.

Making the Business Case

Three arguments for getting budget approval on the basics:

The threat is confirmed, not theoretical. CISA’s KEV list exists specifically to communicate active exploitation. When a vulnerability appears there, it means it is being used against real targets right now. That is a different conversation to vendor fear-mongering about hypothetical risks.

The cost of patching is fixed. The cost of a breach is open-ended. A confirmed SharePoint RCE in the hands of a ransomware affiliate can encrypt your file servers, your project data, and your client records. The ICO does not accept “we hadn’t patched yet” as mitigation in a breach notification. The regulatory exposure is real.

AI-automated attacks remove the small-target defence. If your previous position was that you were too small to be worth a sophisticated attacker’s time, that assumption needs revisiting. Automated attack pipelines do not discriminate by company size.

What to Do Before Friday

1. Confirm your SharePoint patch status today. If you use on-premises SharePoint or have an MSP managing SharePoint servers, ask specifically whether the May 2026 patch cycle has been applied and whether CVE-2026-45659 is remediated. Get a written confirmation.

2. Audit internet-facing development tools. If anyone in your organisation uses AI development platforms, including Langflow or similar tools, verify whether those instances are exposed to the internet. If they are, and they do not need to be, restrict access immediately.

3. Verify your Fortinet firmware version. If you use FortiGate or other Fortinet equipment, ask your IT provider for the current firmware version and confirm it is current. The FortiBleed campaign demonstrates that unpatched network appliances are a direct route to ransomware deployment.

4. Test your backups. Not just that they exist. Test that you can actually restore from them. And confirm that at least one backup copy is offline, meaning it cannot be reached from your network, and therefore cannot be encrypted by ransomware that has gained access to your systems.

5. Ask your MSP for a patch report. A competent MSP should be able to produce a report showing which patches have been applied across your environment and when. If they cannot produce this on request, that is a capability gap worth knowing about.

Before you go: follow the show wherever you listen, leave a rating or review, drop a comment with your thoughts, and share it with someone who would find it useful. If this episode saved someone a phone call to a breach response firm, that is exactly what it is here for.

SourceArticle
CISACISA Adds One Known Exploited Vulnerability to Catalog (CVE-2026-45659)
Microsoft Security Response CentreCVE-2026-45659 Microsoft SharePoint Server Remote Code Execution Vulnerability
The Hacker NewsAI Agent Exploits Langflow RCE to Automate Database Ransomware Attack
The Hacker NewsFortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
The Hacker NewsRansomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
NIST NVDCVE-2026-45659 Detail
TheCyberThroneCISA Adds CVE-2026-45659 SharePoint Vulnerability to KEV

Filed under

  • smb-security
  • uk-business
  • ransomware-groups
  • incident-response
  • cloud-security
  • vendor-risk
  • business-risk