Breaking: SharePoint Zero-Day Confirmed, FortiSandbox Under Sustained Attack — 17 Jul 2026
SharePoint Zero-Day Confirmed — Four CVEs Under Active Attack as CISA Issues Hardening Alert
Microsoft has confirmed that CVE-2026-58644, a CVSS 9.8 deserialization-of-untrusted-data vulnerability in SharePoint Server, was exploited in the wild before patches were available — making it a true zero-day. The flaw allows unauthenticated remote code execution without user interaction across all supported on-premises SharePoint versions (Subscription Edition, 2019, and 2016). Microsoft initially listed it as "exploitation more likely" in its July 14 Patch Tuesday release, then revised the advisory within 24 hours to confirm active exploitation.
This is not an isolated incident. CISA's July 14 alert (updated July 16) identifies four separate SharePoint CVEs under active exploitation: CVE-2026-32201 (KEV-listed since April), CVE-2026-45659 (added July 1), CVE-2026-56164 (added July 14), and CVE-2026-58644 (added July 16). Together they form a complete attack chain: initial access via deserialization flaws, followed by privilege escalation, IIS machine key theft, and persistent malware deployment. The BOD 26-04 remediation deadline for the latest additions is July 19.
CISA's alert goes beyond patching guidance. It specifies concrete detection and hardening measures: enable AMSI integration with "Full Mode" request body scanning, watch for three specific AMSI detections (Exploit:Script/SuspSignoutReqBody.A, Exploit:Script/ToolPaneAuthBypass.A, Exploit:Script/ToolPaneAuthBypass.C) and the MDAV detection Backdoor:MSIL/LeakFang.A!dha for post-exploitation activity involving IIS-protected secrets. The agency warns that organisations must hunt for and remove intrusion artifacts, including machine-key harvesters, before rotating IIS machine keys — otherwise rotated keys will simply be stolen again.
A fifth SharePoint CVE, CVE-2026-50522, also scores CVSS 9.8 as an unauthenticated deserialization RCE. It was demonstrated at Pwn2Own Berlin with a working exploit handed to Microsoft, yet Microsoft still lists its exploit maturity as "unknown." Treat it as weaponised.
FortiSandbox Exploitation Escalates — Third CVE in Six Months
CISA added two Fortinet FortiSandbox OS command injection vulnerabilities to the KEV catalog on July 16, both with confirmed active exploitation. CVE-2026-25089 (CVSS 9.8) and CVE-2026-39808 (CVSS 9.1) allow unauthenticated remote code execution via crafted HTTP requests. Threat intelligence firm Defused Cyber reports observing exploitation of both CVEs within the past 24 hours, with a third related flaw (CVE-2026-39813) also showing exploitation activity. This makes three FortiSandbox CVEs exploited in 2026 alone. The BOD 26-04 remediation deadline is July 19.
So What / Action
- SharePoint: This is a full attack chain, not a single patch-and-move-on situation. Apply July 2026 Patch Tuesday immediately. Enable AMSI with Full Mode request body scanning. Before rotating IIS machine keys, hunt for and remove intrusion artifacts — specifically machine-key harvesting tools. Check for the AMSI and MDAV detection signatures CISA listed. Restrict SharePoint from direct internet exposure. Block external access to Central Administration. Assume that any internet-facing SharePoint server patched after this week may already be compromised. - FortiSandbox: Upgrade to patched versions before July 19. Inventory all FortiSandbox instances including Cloud and PaaS. Check web server logs for unusual HTTP requests to management interfaces. If running FortiSandbox 4.4.0–4.4.8, this is a direct, unauthenticated RCE — treat it as an active incident, not a routine patch. - Both of these are perimeter and collaboration technologies sitting at trust boundaries. The 3-day CISA remediation deadlines are a signal: these are being exploited now, not theoretically. Prioritise accordingly.

