Skip to main content
Emerging Threats

CISA Flags SharePoint Flaw as Exploitable

Officials gather around a podium and large screen displaying a blurred SharePoint interface.

"exploitation was 'less likely,'" Microsoft said — a phrase that now sits uneasily beside a federal agency's escalation of the same flaw to its Known Exploited Vulnerabilities (KEV) list.

Microsoft's 'less likely' assessment

Microsoft publicly characterized exploitation of the SharePoint vulnerability as "less likely," a judgment that appeared intended to soothe immediate operational concerns. That wording is drawn verbatim from reporting on the company's assessment, and it frames the vendor's cautious confidence in the effectiveness of its mitigations for affected deployments.

CISA adds SharePoint RCE to the KEV list

Hours or days after Microsoft offered that assessment, the Cybersecurity and Infrastructure Security Agency (CISA) added a SharePoint remote code execution (RCE) issue to its Known Exploited Vulnerabilities list. The KEV list is a federal public signal used to highlight vulnerabilities the agency deems actively exploited and of immediate concern to network defenders and asset owners.

On‑prem SharePoint: patches failed and zero‑day attacks

Reporting accompanying the KEV action states that Microsoft patches "failed to fix on-prem SharePoint," and that on-prem SharePoint is "now under zero-day attack." Those phrases together convey two linked facts: the vendor-released fixes did not remediate the vulnerability in on-premises SharePoint deployments, and exploitation activity targeting those deployments has been observed.

How technologists, enterprises, and adversaries are positioned

  • Technologists and security teams: The KEV listing and the note that Microsoft patches did not fix on‑prem SharePoint create a narrow, actionable signal: remediation status for on‑prem SharePoint must be verified beyond simply applying the vendor update. CISA's public addition elevates the urgency for operational checks and compensating controls.
  • Affected enterprises and procurement leaders: Organizations running on‑premises SharePoint face a specific, documented problem: patches in the field did not resolve the issue and active zero‑day exploitation has been reported. That combination demands immediate inventory of affected instances and prioritized mitigation, per the federal advisory posture.
  • Adversaries and threat actors: The reporting explicitly states a zero‑day attack is underway against on‑prem SharePoint — indicating that exploitation is not merely theoretical but active in the wild. The KEV listing formalizes the vulnerability as a known target of exploitation.

Patch status and public signaling

The sequence of events recorded in the public reporting — Microsoft saying exploitation was "less likely," followed by a CISA KEV addition and reporting that patches failed for on‑prem systems while zero‑day attacks continued — creates a divergence between vendor messaging and federal mitigation posture. CISA's decision to list the SharePoint RCE on the KEV list functions as a clear, actionable signal to organizations that the problem requires attention irrespective of the vendor's initial likelihood assessment.

The practical upshot is straightforward and immediate: where on‑prem SharePoint is in use, the public record shows a vulnerability that Microsoft acknowledged in some form, mitigations that did not fully resolve the on‑prem vector, and active exploitation. That combination explains why CISA elevated the issue onto the KEV list even as Microsoft described exploitation as "less likely."

Which brings us to the central unresolved business of this episode — the tension between a vendor's risk assessment and a federal agency's operational directive. When patches do not eliminate exposure and attacks are occurring, the KEV listing is the blunt instrument that forces enterprises to act. How quickly organizations move from awareness to verification and mitigation will determine whether the technical gap noted in reporting becomes a broader operational failure.

Original story