CISA flags active SharePoint RCE exploit as Cisco UCM attacks continue
CISA added a critical Microsoft SharePoint remote code execution vulnerability to its Known Exploited Vulnerabilities catalog on July 2, 2026, the same day Cisco confirmed active exploitation of a flaw in its Unified Communications Manager platform. Both vulnerabilities allow unauthenticated remote attackers to execute code or create unauthorized files on enterprise servers. IT and security operations teams running either platform need to act now: delays directly translate into exposure at scale.
This story was produced through MarketScale. See how Software & Technology teams put it to work with Executive Thought Leadership.
Key facts, context, and what it means, in one minute.
Key takeaways
CISA added SharePoint CVE-2026-45659 to its KEV catalog on July 2, 2026, requiring federal agencies to patch immediately and signaling urgency for all enterprise operators.
Cisco confirmed the same day that CVE-2026-20230, a server-side request forgery flaw in Unified Communications Manager, is being actively exploited by unauthenticated remote attackers.
Both flaws require low attacker complexity, meaning exploitation is accessible to a broad range of threat actors using automated scanning tools.
Two critical vulnerabilities affecting core enterprise infrastructure landed on security teams' radar on July 2, 2026, and both are already being exploited. The U.S. Cybersecurity and Infrastructure Security Agency added a Microsoft SharePoint remote code execution flaw to its Known Exploited Vulnerabilities catalog, while Cisco separately updated its advisory to confirm active attacks against its Unified Communications Manager platform.
SharePoint deserialization flaw draws federal mandate
The SharePoint vulnerability, tracked as CVE-2026-45659, stems from unsafe deserialization of untrusted data. Attackers with low privilege levels can exploit it remotely over the internet to execute arbitrary code on affected servers, with no need for physical access or elevated credentials.
CISA's KEV catalog listing carries real operational weight. Federal civilian agencies face binding patch deadlines once a CVE appears there, and the catalog has historically served as a reliable signal that threat actors are actively scanning for and compromising unpatched instances across both public and private sector networks. Security teams running SharePoint as a document management or intranet backbone should treat this as an active incident until patching is confirmed.
The deserialization attack class is particularly difficult to block with perimeter controls alone. Network scanning engines can identify exposed SharePoint endpoints at scale, meaning the window between a public proof-of-concept and widespread exploitation is now measured in hours, not days.
Cisco UCM: voice infrastructure under active attack
Cisco's updated advisory for CVE-2026-20230 confirms what security researchers had warned about for weeks: the server-side request forgery vulnerability in Unified Communications Manager is no longer just a theoretical risk. Unauthenticated, remote attackers are executing low-complexity requests that create unauthorized files on exposed UCM servers.
Voice infrastructure has historically been treated as lower-risk than data systems, but UCM environments often sit at the intersection of telephony, directory services, and internal application routing. Unauthorized file creation on a UCM server can serve as a foothold for lateral movement or persistent access, making this more than a telephony availability issue.
Financial services organizations are among those aggressively pushing patches this week, according to B2B Tech News, reflecting the sector's sensitivity to communications infrastructure compromise. Organizations in any regulated vertical should assess their UCM exposure and check whether internet-facing or DMZ-adjacent deployments are running affected firmware versions.
A third threat vector: macOS credential harvesting
Separate reporting from July 2 identified a new macOS infostealer that adds a validation step before exfiltrating credentials. Rather than immediately sending stolen data to a command-and-control server, the malware uses AppleScript prompts to locally verify that captured passwords actually work before transmitting them. The approach reduces the malware's network footprint and increases the quality of harvested credentials.
Distributed through malicious ads and deceptive software installers, the threat targets macOS Keychain data. For enterprises that have expanded Mac deployments across developer, finance, or executive teams, this is a concrete reminder that endpoint detection and identity monitoring on macOS requires the same rigor applied to Windows environments.
What this means for your team
- Audit all SharePoint Server deployments for CVE-2026-45659 patch status immediately; if patches cannot be applied within your change window, consider taking internet-exposed instances offline until they are applied.
- Inventory Cisco UCM firmware versions across all sites and prioritize patching for any UCM nodes reachable from low-trust or internet-adjacent network segments; review server file system logs for signs of unauthorized file creation.
- Extend macOS endpoint monitoring to include behavioral detection for unusual AppleScript execution and Keychain access patterns, particularly on devices used by privileged users or those with access to financial or identity systems.
- Cross-check your patch cadence against CISA's KEV catalog as a standing practice: KEV additions indicate confirmed in-the-wild exploitation and should trigger an immediate response, not a scheduled maintenance window.
Sources
- CISA SharePoint KEV entry and Cisco UCM advisory coverage ↗ · B2B Tech News
About the author
The MarketScale Newsroom reports on the companies, technologies, and trends shaping 16 B2B industries. It turns primary sources and expert commentary into clear, useful coverage for the people doing the work.