Skip to content
MarketScale
‹ Back to IndustriesSoftware & Technology

CISA flags active SharePoint RCE exploit as Cisco UCM attacks continue

CISA added a critical Microsoft SharePoint remote code execution vulnerability to its Known Exploited Vulnerabilities catalog on July 2, 2026, the same day Cisco confirmed active exploitation of a flaw in its Unified Communications Manager platform. Both vulnerabilities allow unauthenticated remote attackers to execute code or create unauthorized files on enterprise servers. IT and security operations teams running either platform need to act now: delays directly translate into exposure at scale.

This story was produced through MarketScale. See how Software & Technology teams put it to work with Executive Thought Leadership.

By MarketScale NewsroomCisaMicrosoft SharepointCiscoUnified Communications Manager
Share
Learn this in 60 seconds

Key facts, context, and what it means, in one minute.

:60
0:001:00
CISA flags active SharePoint RCE exploit as Cisco UCM attacks continue

Key takeaways

01

CISA added SharePoint CVE-2026-45659 to its KEV catalog on July 2, 2026, requiring federal agencies to patch immediately and signaling urgency for all enterprise operators.

02

Cisco confirmed the same day that CVE-2026-20230, a server-side request forgery flaw in Unified Communications Manager, is being actively exploited by unauthenticated remote attackers.

03

Both flaws require low attacker complexity, meaning exploitation is accessible to a broad range of threat actors using automated scanning tools.

Two critical vulnerabilities affecting core enterprise infrastructure landed on security teams' radar on July 2, 2026, and both are already being exploited. The U.S. Cybersecurity and Infrastructure Security Agency added a Microsoft SharePoint remote code execution flaw to its Known Exploited Vulnerabilities catalog, while Cisco separately updated its advisory to confirm active attacks against its Unified Communications Manager platform.

SharePoint deserialization flaw draws federal mandate

The SharePoint vulnerability, tracked as CVE-2026-45659, stems from unsafe deserialization of untrusted data. Attackers with low privilege levels can exploit it remotely over the internet to execute arbitrary code on affected servers, with no need for physical access or elevated credentials.

CISA's KEV catalog listing carries real operational weight. Federal civilian agencies face binding patch deadlines once a CVE appears there, and the catalog has historically served as a reliable signal that threat actors are actively scanning for and compromising unpatched instances across both public and private sector networks. Security teams running SharePoint as a document management or intranet backbone should treat this as an active incident until patching is confirmed.

The deserialization attack class is particularly difficult to block with perimeter controls alone. Network scanning engines can identify exposed SharePoint endpoints at scale, meaning the window between a public proof-of-concept and widespread exploitation is now measured in hours, not days.

Cisco UCM: voice infrastructure under active attack

Cisco's updated advisory for CVE-2026-20230 confirms what security researchers had warned about for weeks: the server-side request forgery vulnerability in Unified Communications Manager is no longer just a theoretical risk. Unauthenticated, remote attackers are executing low-complexity requests that create unauthorized files on exposed UCM servers.

Voice infrastructure has historically been treated as lower-risk than data systems, but UCM environments often sit at the intersection of telephony, directory services, and internal application routing. Unauthorized file creation on a UCM server can serve as a foothold for lateral movement or persistent access, making this more than a telephony availability issue.

Financial services organizations are among those aggressively pushing patches this week, according to B2B Tech News, reflecting the sector's sensitivity to communications infrastructure compromise. Organizations in any regulated vertical should assess their UCM exposure and check whether internet-facing or DMZ-adjacent deployments are running affected firmware versions.

A third threat vector: macOS credential harvesting

Separate reporting from July 2 identified a new macOS infostealer that adds a validation step before exfiltrating credentials. Rather than immediately sending stolen data to a command-and-control server, the malware uses AppleScript prompts to locally verify that captured passwords actually work before transmitting them. The approach reduces the malware's network footprint and increases the quality of harvested credentials.

Distributed through malicious ads and deceptive software installers, the threat targets macOS Keychain data. For enterprises that have expanded Mac deployments across developer, finance, or executive teams, this is a concrete reminder that endpoint detection and identity monitoring on macOS requires the same rigor applied to Windows environments.

What this means for your team

  • Audit all SharePoint Server deployments for CVE-2026-45659 patch status immediately; if patches cannot be applied within your change window, consider taking internet-exposed instances offline until they are applied.
  • Inventory Cisco UCM firmware versions across all sites and prioritize patching for any UCM nodes reachable from low-trust or internet-adjacent network segments; review server file system logs for signs of unauthorized file creation.
  • Extend macOS endpoint monitoring to include behavioral detection for unusual AppleScript execution and Keychain access patterns, particularly on devices used by privileged users or those with access to financial or identity systems.
  • Cross-check your patch cadence against CISA's KEV catalog as a standing practice: KEV additions indicate confirmed in-the-wild exploitation and should trigger an immediate response, not a scheduled maintenance window.

Featured companies

About the author

MarketScale Newsroom
MarketScale NewsroomEditorial Team, MarketScale

The MarketScale Newsroom reports on the companies, technologies, and trends shaping 16 B2B industries. It turns primary sources and expert commentary into clear, useful coverage for the people doing the work.

Software & Technology: are you visible to AI?

Before they reach out, Software & Technology buyers ask AI engines which vendors to trust. See how AI describes your company today, and where competitors show up instead.

Free workspace

You just read one expert. Imagine publishing your whole team.

This article was produced through MarketScale. Create a free workspace and turn your own team's expertise into articles, video, and social posts. No credit card, no demo required.

NPS +73 · 1,000+ creators · 38+ countries

What you get, free

Your own MarketScale Studio workspace
One video edit a month, on us
AI writing, editing, and publishing tools
In-platform coaching to learn the system

More Software & Technology Insights

Enterprise AI's adoption gap: investment is up, but security, data, and accountability are lagging

Enterprise AI's adoption gap: investment is up, but security, data, and accountability are lagging

Enterprise investments in AI are rising, with 86% of C-suite executives increasing their budgets. Despite this, only 32% report a sustained impact from these investments. New threats like prompt injection and shadow AI are contributing to the challenges.

  • 0186% of C-suites are increasing AI investment.
  • 02Only 32% report sustained impact from AI investments.
  • 03Prompt injection and shadow AI are emerging as new threats.

Jul 7, 2026

Apple Spent Years Insourcing Chips. It Just Locked Broadcom In Through 2031.

Apple Spent Years Insourcing Chips. It Just Locked Broadcom In Through 2031.

Apple extended its supplier agreement with Broadcom through 2031 for custom wireless and networking chips, choosing to lock in a critical supplier rather than insource these components despite years of vertical integration efforts. The deal reflects a broader supply-chain lesson: securing long-term contracts with specialized suppliers reduces volatility and risk more effectively than pursuing complete vertical integration.

  • 01Vertical integration has limits; even well-resourced companies benefit from locking in specialized suppliers over attempting to build everything in-house
  • 02Long-term supplier contracts reduce planning uncertainty for both parties, particularly when one customer represents 20 percent of supplier revenue
  • 03Demand for bespoke silicon designed for specific buyers is becoming central to semiconductor business, making strategic supplier relationships more valuable than transactional ones

Jul 7, 2026

Y Combinator's B2B roster hits 2,623 startups as demand for specialized services accelerates

Y Combinator's B2B roster hits 2,623 startups as demand for specialized services accelerates

Y Combinator's B2B portfolio has reached 2,623 startups as demand for specialized services continues to grow. The consulting market is projected to reach $260.5 billion according to Forbes. This indicates a thriving environment for B2B services driven by innovation and specialization.

  • 01Y Combinator has funded 2,623 B2B startups.
  • 02The consulting market is projected to reach $260.5 billion.
  • 03There is increasing demand for specialized B2B services.

Jul 7, 2026

Explore More Software & Technology Insights

Read more expert perspectives from across Software & Technology.

Browse Software & Technology Hub

About the Expert

MarketScale Newsroom
MarketScale Newsroom

Editorial Team

MarketScale

The MarketScale Newsroom reports on the companies, technologies, and trends shaping 16 B2B industries. It turns primary sources and expert commentary into clear, useful coverage for the people doing the work.