CISA Warns of Actively Exploited SharePoint RCE, Microsoft Uncovers Co-existing Threat Actors
The U.S. **Cybersecurity and Infrastructure Security Agency (CISA)** has added a high-severity remote code execution (RCE) vulnerability in **Microsoft SharePoint Server** to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation. This alert comes as **Microsoft** recently detailed an unusual incident where two unrelated threat actors operated simultaneously within the same network, employing sophisticated techniques to maintain persistence and complicate incident response.

**CISA** recently issued an alert regarding **CVE-2026-45659**, a high-severity flaw (CVSS score: 8.8) affecting **Microsoft SharePoint Server**. This vulnerability, which allows for remote code execution through the deserialization of untrusted data, was patched by **Microsoft** in May 2026 across **SharePoint Server Subscription Edition**, **SharePoint Server 2019**, and **SharePoint Enterprise Server 2016**.
According to **Microsoft**, an authenticated attacker with a minimum of Site Member permissions can exploit this RCE flaw over a network, without requiring administrative or elevated privileges.
Despite **Microsoft** initially assessing the flaw as "Exploitation Less Likely," **CISA**'s addition to the KEV catalog confirms active exploitation. The specifics of how the vulnerability is being exploited, the identities of the attackers, and their ultimate objectives remain unclear. Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary fixes by July 4, 2026.
### Microsoft Uncovers Parallel Threat Activity from 2 Clusters
Adding another layer of complexity to the threat landscape, **Microsoft** recently disclosed a unique incident where a routine ransomware investigation uncovered two distinct and unrelated threat actors operating concurrently within the same compromised network.

One of the attack clusters has been attributed to **Storm-2603**, a known threat actor notorious for deploying **Warlock ransomware**. **Storm-2603** has a history of exploiting vulnerabilities in on-premises **SharePoint** servers since mid-2025.
Initial access in this particular incident was likely achieved through another vulnerability, **CVE-2025-11371** (CVSS score: 9.1), a critical flaw impacting **Gladinet Triofox**. **Microsoft** observed probing for local file inclusion via requests for files such as `win.ini` and `web.config`.
Upon gaining access, **Storm-2603** utilized tools like **Velociraptor** to mask malicious activities within legitimate administrative behaviors. They also established multiple persistent remote access channels using **Cloudflare tunneling**, **Zoho Assist**, and **Secure Shell (SSH)** connections configured through **Visual Studio Code**.
Privilege escalation was achieved by creating new local and domain administrator accounts. Furthermore, a vulnerable driver (**NSecKrnl.sys**) was exploited to tamper with endpoint security protections, effectively reducing their visibility.
Simultaneously, **Microsoft**'s investigation revealed a second, unrelated threat actor operating within the same environment. This group employed DLL side-loading and custom backdoors, making attribution more challenging. Further analysis confirmed that these attackers had moved laterally into a second organization, also compromised by the same **Storm-2603** ransomware activity.
**Microsoft**'s Incident Response team highlighted the critical takeaway: "What may appear to be a single ransomware incident can quickly expand into something more complexβspanning organizations, blending tactics, and even involving multiple threat actors operating in parallel. For security teams, the implication is clear: isolated signals rarely tell the full story."