SharePoint Is Being Actively Exploited Right Now: What UK Small Businesses Need to Know

Cyber Security News

SharePoint Is Being Actively Exploited Right Now: What UK Small Businesses Need to Know

CISA added Microsoft SharePoint to its Known Exploited Vulnerabilities catalogue on 1 July 2026. That is not a prediction. That is a confirmation: someone is exploiting this right now, against real targets, and the US government’s cyber security authority considers it serious enough to mandate remediation.

If you use SharePoint on-premises, this is your first priority today.

Story One: SharePoint Is Being Actively Exploited (CVE-2026-45659)

The vulnerability is a deserialization flaw. In plain English: SharePoint processes certain data in a way that allows an authorised user on the network to run arbitrary code on the server. The attacker needs to be authenticated, which means they need valid credentials. That is a lower bar than it sounds, given how frequently credentials are stolen, shared, or reused.

The CISA KEV entry was added 1 July 2026. CISA’s BOD 26-04 requires federal agencies to patch or discontinue use within defined timescales. UK small businesses are not bound by that directive, but the signal is unambiguous: this is being exploited in the wild, now.

What does this mean practically? If you run SharePoint Server on your own infrastructure, or if your IT provider manages it for you, check patch status today. The question to ask your MSP or IT support is specific: has CVE-2026-45659 been remediated? If they cannot answer that question immediately, that tells you something important about your patching posture.

If you use SharePoint Online through Microsoft 365, Microsoft manages patching at the infrastructure level. Your exposure is lower, but verify your Microsoft 365 tenant is not running any on-premises hybrid components that could serve as a bridge.

Story Two: Your Office Camera May Have No Password (CVE-2026-58453)

JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain hardcoded credentials. The default admin username is accepted with an empty password via the HTTP service on port 80. No authentication required beyond that.

An attacker on the same network can access live video feeds, camera snapshots, network configuration data, and factory-level API endpoints including a command injection surface via the SetMAC function.

This matters to UK small businesses for a specific reason: cheap IP cameras are everywhere. Reception desks, car parks, storage rooms, server rooms. They get installed, they get forgotten, and they sit on the same network as your accounting software, your customer database, and your email.

The broader NVD dataset from 1 July also includes similar flaws in Shenzhen Aitemi M300 Wi-Fi Repeaters (CVE-2026-58457): unauthenticated OS command injection through the device’s web backend. Anyone adjacent to the network can run arbitrary shell commands with root-level access.

These are not exotic enterprise systems. These are the kind of devices you find in any small office, any retail unit, any professional practice. They are cheap because the security engineering is cheap.

Check what is on your network. If you do not have an inventory of connected devices, you do not know your attack surface. That is the starting point.

Story Three: AI-Generated Ransomware Is Using Your Browser Against You

Researchers have identified a malware artefact generated using DeepSeek that exploits the Chromium File System Access API to encrypt files on Windows and Android devices. The mechanism does not require a traditional malware payload: it abuses a legitimate browser permission that most users have already granted to various web applications.

This has not been observed in active exploitation yet. Note that qualifier carefully. The proof of concept exists. The technique is documented. The barrier to weaponisation is lower than it was twelve months ago, because AI is reducing the expertise required to build functional malware.

For UK small businesses, the practical implication is not “stop using Chrome.” It is: be precise about what browser permissions you grant. When a website asks to access your file system, that is not a routine click-through. It is a permission with real consequences if the site is malicious or becomes compromised.

The Chrome 150 update released 1 July 2026 addressed 382 vulnerabilities including 15 classified as critical. That update should be applied to every device in your business. Browser patching is frequently neglected because it feels less consequential than server patching. The AI ransomware research is a direct counter-argument to that assumption.

Why This Matters for Your Business’s Competitive Position

The pattern across all three stories is the same: the attack surface is wider than most small businesses assume, and the time between vulnerability disclosure and active exploitation is compressing.

SharePoint went from disclosed to actively exploited fast enough to land in the KEV catalogue. The IP camera flaws affect commodity hardware that was never designed with security as a priority. The AI ransomware proof-of-concept demonstrates that the technical barrier to novel attack development is falling.

Businesses that can demonstrate a structured, evidence-based response to these conditions are increasingly differentiated in procurement, in supplier assessments, and in conversations with insurers. Cyber insurance underwriters are asking more specific questions. “We have a firewall” is not an answer. “We patch within 72 hours of KEV additions and we maintain a device inventory” is.

This is not abstract positioning. It is the difference between passing and failing a client security questionnaire that your larger customers are now routinely issuing.

How to Make the Case to Your Board or Leadership Team

The SharePoint flaw is confirmed active exploitation, not theoretical risk. CISA’s KEV catalogue documents flaws that are being used against real targets. This is not a vendor warning. It is an intelligence assessment.

The camera and repeater vulnerabilities illustrate a systemic problem with unmanaged devices. Every device on your network that you cannot account for is a potential pivot point. The cost of a device inventory is a spreadsheet and an afternoon. The cost of discovering this during an incident is considerably higher.

The AI ransomware development compresses your response timelines. When novel attack techniques can be generated in minutes rather than months, the window between a proof-of-concept becoming public and it being weaponised shrinks. Patching cadence and permission hygiene are not optional security theatre: they are operational risk controls.

What to Do Before the End of This Week

  1. Ask your IT support or MSP specifically about CVE-2026-45659. Not “are we patched generally.” That specific CVE, that specific answer. If they need to check, ask for confirmation within 24 hours.

  2. Audit the cameras and network-attached devices in your office. Write down every device connected to your business network. Cross-reference against the manufacturer’s current firmware. JAIOTlink and Aitemi devices should be checked immediately. Devices without a current firmware version or without a patch available should be isolated from the primary network or replaced.

  3. Apply Chrome 150 to every device. Check your browser version at chrome://settings/help. If you manage devices centrally, push the update now. If staff manage their own devices, send the instruction today.

  4. Review browser permissions on business devices. In Chrome, go to Settings, Privacy and Security, Site Settings, and review which sites have been granted file system access. Revoke anything that cannot be justified.

  5. Check your cyber insurance policy covers ransomware delivered via browser-based mechanisms. Some policies have exclusions that were written before this attack vector existed. Now is the time to read the small print, not during an incident.

Before you go: follow the show wherever you listen, leave a rating or review, drop a comment with your thoughts, and share this with someone who would find it useful. If today’s brief saved someone a patch-Tuesday headache, that is what it is here for.

SourceArticle
CISA KEVKnown Exploited Vulnerabilities Catalog: CVE-2026-45659 Microsoft SharePoint Server
NIST NVDCVE-2026-58453: JAIOTlink C492A-W6 Hardcoded Credentials
NIST NVDCVE-2026-58457: Shenzhen Aitemi M300 Wi-Fi Repeater OS Command Injection
The Hacker NewsAI-Generated Browser Ransomware Abuses Chromium API on Windows and Android
TheCyberThroneGoogle Chrome 150 Security Update: 382 Vulnerabilities Fixed
CERT-EUCyber Brief 26-07: June 2026
NCSCPatch Management Guidance

Filed under

  • smb-security
  • uk-business
  • ransomware-groups
  • remote-access
  • business-risk
  • incident-response
  • vendor-risk