Hackers Are Actively Exploiting Microsoft SharePoint Vulnerability

Cybersecurity officials are sounding the alarm over a dangerous security flaw hidden inside Microsoft SharePoint. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently rushed to add this vulnerability to its official list of known exploited threats. This move confirms that malicious hackers are already actively using the loophole to break into corporate and government networks.

The security hole is officially tracked as CVE-2026-45659, and it has been given a high-severity rating due to how easily it can be abused. Essentially, the bug allows attackers to trick the server into running malicious code by sending it corrupted data. Microsoft did roll out software patches to fix this issue a couple of months ago, covering several versions including the SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. However, any organization that has failed to install those updates remains wide open to an attack.

Low Privileges, High Risk

What makes this specific vulnerability so deeply concerning to security experts is how little effort it takes for a hacker to abuse it. An attacker does not need to possess administrator rights or any kind of elevated access to pull off the heist. Instead, anyone who has managed to steal or buy basic login credentials—even standard “Site Member” permissions—can trigger the flaw across a standard network connection. Once inside, they can execute commands remotely and effectively take control of the server.

Interestingly, when Microsoft first discovered the flaw, the company predicted that hackers would be unlikely to abuse it. That prediction has now been proven wrong. Government agencies have been given a strict and immediate deadline to patch their systems, illustrating just how serious the real-world threat has quickly become. Security firms still do not know exactly how the hackers are pulling off these attacks, who is leading the digital assault, or what their ultimate goals are once they break into a network.

A Chaotic Digital Invasion

While tracking down these types of network intrusions, cybersecurity researchers recently stumbled upon a bizarre and highly complex scenario. During a routine investigation into a ransomware attack, security teams discovered that two completely separate hacker groups were secretly living inside the exact same corporate network at the same time. This double infection made it incredibly difficult for responders to figure out what was happening.

One of these groups has been identified by researchers as Storm-2603. This specific gang has a history of launching ransomware attacks by targeting older, unpatched SharePoint servers. In this recent event, the hackers did not even use the new SharePoint flaw to get their foot in the door. Instead, they found their way inside by exploiting a separate vulnerability in a different software program called Gladinet Triofox. Once they gained that initial foothold, they began searching for sensitive system configuration files to plan their next move.

Hiding in Plain Sight

After sneaking into the network, the Storm-2603 hackers went to great lengths to ensure they would not be kicked out. They deployed legitimate software tools that network administrators normally use, allowing their malicious actions to blend in perfectly with everyday corporate computer traffic. They also opened up several secret backdoors into the network using cloud tunneling tools, remote assistance applications, and coding software.

To make matters worse, the hackers managed to elevate their own permissions, creating fake administrator accounts that gave them total control over the environment. They even utilized a corrupted software driver to quietly disable the company’s antivirus and endpoint security tools, essentially blinding the defenders.

At the exact same time, a second group of entirely unrelated hackers was caught sneaking around the very same network. This second group used advanced techniques to disguise their malware as legitimate system files. The investigation eventually revealed that these hackers did not stop at just one company; they managed to jump from the first victim’s network straight into a second organization’s systems. This chaotic overlap of two different hacking groups allowed the attackers to maintain deep, long-term access while totally confusing the corporate security teams trying to stop them. Experts warn that a single ransomware alert is often just the tip of a much larger, more dangerous iceberg.

Privacy Preference Center