SharePoint Is Being Actively Exploited Right Now. Is Your Business Exposed?
Three vulnerabilities landed in the past 24 hours that cut directly to how UK small businesses operate. One is already being actively exploited. Two score 9.8 on the CVSS severity scale. All three are network-accessible and require no authentication from the attacker.
This is not a theoretical brief. Let the data make the case.
The Headline: Microsoft SharePoint Is Being Actively Exploited
On 16 July 2026, CISA added CVE-2026-58644 to its Known Exploited Vulnerabilities catalogue. That means confirmed, real-world exploitation. Not a proof of concept. Not a researcher demonstration. Attackers are using this right now.
The vulnerability is a deserialization flaw in Microsoft SharePoint. An unauthorised attacker can send a crafted request over a network and execute arbitrary code on the target system. No authentication required. No user interaction required.
SharePoint sits at the heart of how a significant number of UK small businesses handle documents, internal communications, and collaboration. If your SharePoint instance is internet-facing, or accessible to any part of your network that an attacker could reach, this matters to you today.
CISA’s required action is unambiguous: apply vendor mitigations immediately, following BOD 26-04 patching guidelines. If mitigations are unavailable, discontinue use. Microsoft has published guidance. The gap between knowing about this and applying the fix is where breaches happen.
What this means in plain terms: If you have not patched SharePoint since 16 July, assume the risk is live. Not elevated. Live.
Zoom for Windows: CVSS 9.8, Account Takeover, No Authentication Required
CVE-2026-53412. CVSS score: 9.8. Zoom Workplace for Windows and the Zoom Workplace VDI Client for Windows.
Zoom failed to properly validate input, allowing an unauthenticated attacker with network access to take over user accounts. Zoom has released a patch.
The practical exposure here is significant. Zoom is a standard tool across UK SMBs, used for client calls, team meetings, and supplier conversations. The VDI client variant extends this risk into virtual desktop environments, which a growing number of businesses use for remote working.
Zoom has not published technical details of the specific exploitation mechanism beyond the input validation failure. That is a reasonable responsible disclosure position. It does not change the remediation requirement.
What this means in plain terms: Every Windows machine in your business running Zoom needs to be updated. Open Zoom on each device and let it update, or push the update through your endpoint management tooling if you have it. This is a Friday afternoon job, not a next-sprint item.
WireGuard Easy: Remote Access Credentials Brute-Forceable in 1,000 Attempts
CVE-2026-63089. CVSS score: 9.3. WireGuard Easy through version 15.3.0.
This one requires a moment of explanation, because it illustrates a specific and infuriating category of security failure.
WireGuard Easy generates one-time link tokens for peer credentials using CRC32 over a random value constrained to between 0 and 999. That is a keyspace of 1,000 possible values. An unauthenticated attacker can enumerate all 1,000 candidates against the /cnf/:oneTimeLink endpoint. The endpoint has no rate limiting. It does not validate token expiry. Once the attacker finds the correct token, they retrieve the peer’s private key and preshared key, and can impersonate that peer on your VPN.
WireGuard itself is a well-regarded VPN protocol. WireGuard Easy is a self-hosted web interface that makes it more accessible to non-technical administrators. That accessibility has introduced a cryptographically indefensible token generation mechanism.
The fix is in commit 66b292b. If you self-host WireGuard Easy and are running version 15.3.0 or earlier, two things are true: first, you need to update immediately; second, you should treat any credentials distributed via the one-time link mechanism as potentially compromised and revoke and reissue them.
What this means in plain terms: If WireGuard Easy is how your team accesses the office network remotely, your VPN credentials may already be in someone else’s hands. Update, revoke existing peer credentials, and reissue.
The Pattern Worth Noting
Look at what these three vulnerabilities have in common.
All three allow unauthenticated access. An attacker does not need credentials to start the attack. All three are accessible over a network, not requiring physical presence or prior foothold. All three affect software that UK small businesses use routinely: SharePoint for document collaboration, Zoom for communications, WireGuard Easy for remote access.
That is not coincidence. It is a consistent targeting profile. Attackers go for the tools that everyone uses, that are accessible from the internet or from within a compromised network, and that businesses have not yet patched because the patch dropped yesterday.
The CISA KEV confirmation on SharePoint tells you that at least one of these has already crossed from vulnerability to active weapon. The 9.8 scores on SharePoint and Zoom reflect severity independent of exploitation status. The WireGuard Easy flaw is technically trivial to exploit: 1,000 guesses is not a sophisticated attack, it is a script that runs in minutes.
Why This Gives Your Business a Measurable Edge
The businesses that apply these patches today are in a materially different risk position from the businesses that wait until next week, next month, or the next time someone raises it in a board meeting.
That gap is documentable. If you operate in a sector where clients or partners ask about your security posture, being able to demonstrate that your patch management process responds to active exploitation within 24 to 48 hours is a concrete, verifiable differentiator. It is not a marketing claim. It is a process.
If you hold Cyber Essentials certification or are working towards it, prompt patch application against actively exploited vulnerabilities is directly aligned with the certification’s requirements. It also reduces your exposure in the event of a regulatory investigation following an incident. The ICO looks poorly on organisations that were aware of a critical patch and failed to apply it.
Making the Business Case
Three arguments for anyone who needs to justify the time this week:
CISA confirmed active exploitation. This is not a vendor warning or a researcher prediction. The US government’s cyber security agency has confirmed that SharePoint CVE-2026-58644 is being used in attacks right now. The UK’s NCSC aligns closely with CISA’s KEV assessments. This is the closest thing to a mandatory patch signal that exists outside of a direct government directive.
The attack requires nothing from the attacker. No credentials. No prior access. No user action. An attacker who can reach your SharePoint, Zoom, or WireGuard Easy instance can begin the attack immediately. The cost of exploitation is low. The cost of a successful breach is not.
Patches are available for all three. This is not a situation requiring architectural change, vendor negotiation, or budget approval. The fixes exist. The decision is whether to apply them.
What to Do Before the End of Today
-
Patch SharePoint immediately. Log into Microsoft Update or your patch management tooling and apply the available update for CVE-2026-58644. If you use SharePoint Online (Microsoft 365), Microsoft manages patching on your behalf, but verify your tenant is current. If you run SharePoint on-premises, this requires action from you or your IT provider today.
-
Update Zoom on every Windows device. Open Zoom and allow it to update, or push the update centrally. CVE-2026-53412 affects Zoom Workplace for Windows and the VDI client. Both need updating. Check with any remote workers or home-office staff that their Zoom has updated.
-
If you self-host WireGuard Easy, update and revoke credentials. Pull the latest version from the WireGuard Easy repository (fixed in commit 66b292b). After updating, revoke all existing peer credentials that were distributed via one-time links and reissue them. If you are unsure whether you use WireGuard Easy, ask your IT provider or MSP. If they do not know, that is a separate conversation worth having.
-
Confirm with your MSP or IT provider that these patches have been applied. If you outsource IT management, send a direct message today asking for written confirmation that CVE-2026-58644, CVE-2026-53412, and CVE-2026-63089 have been addressed on your estate. If they cannot confirm by end of day, ask why not.
-
Log this action. Note the date you confirmed patching was completed. If you ever face an ICO inquiry or a client security questionnaire, documented evidence that you responded to active exploitation within 24 to 48 hours is significantly more defensible than silence.
Finally: if this brief was useful, follow the show wherever you listen, leave a rating or review, and drop a comment with your thoughts. If you know a business owner or IT manager who should be across this today, send it to them now. That is how this information gets to the people who need it.