CISA KEV Alert: Three Actively Exploited Vulnerabilities Demand Immediate Action
Fortinet FortiSandbox and Microsoft SharePoint flaws land on the Known Exploited Vulnerabilities Catalog — here's what your security team must do in the next 30 days.
Published 2026-07-17
# CISA KEV Alert: Three Actively Exploited Vulnerabilities Demand Immediate Action
On July 16, 2026, CISA added three new entries to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation of two Fortinet FortiSandbox OS command injection vulnerabilities and a Microsoft SharePoint deserialization of untrusted data vulnerability. Severity: maximum. Response window: now.
What the Advisory Says
CISA's KEV Catalog is the authoritative list of vulnerabilities confirmed to be under active attack in the wild. This update adds:
- CVE-2026-25089 — Fortinet FortiSandbox OS Command Injection Vulnerability
- CVE-2026-39808 — Fortinet FortiSandbox OS Command Injection Vulnerability
- CVE-2026-58644 — Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
Under Binding Operational Directive (BOD) 26-04, Federal Civilian Executive Branch (FCEB) agencies are legally required to remediate KEV entries on a mandated timeline. But the blast radius extends well beyond the federal perimeter.
Why This Matters for Every Organization
OS command injection and deserialization vulnerabilities are not exotic edge cases — they are two of the most reliably weaponized vulnerability classes in the threat actor playbook. FortiSandbox sits at the heart of many enterprise sandboxing and threat-detection architectures, meaning a successful exploit can blind your detection layer at the exact moment you need it most. SharePoint is deeply embedded in collaboration workflows across virtually every regulated industry.
For organizations operating under NIS2, SOC 2, ISO 27001, HIPAA, or PCI DSS, the compliance calculus is straightforward: known-exploited vulnerabilities on internet-facing or internally networked systems represent a material control failure. NIS2 Article 21 explicitly requires proportionate technical measures including vulnerability handling. PCI DSS Requirement 6 mandates timely patching of high-risk vulnerabilities. ISO 27001 Annex A 8.8 covers management of technical vulnerabilities. Failing to act on a CISA KEV entry — one that signals confirmed exploitation — is difficult to defend in any audit or post-breach investigation across all 16 major frameworks.
What You Should Do in the Next 7–30 Days
Days 1–7 — Identify and isolate:
- Inventory all FortiSandbox deployments and Microsoft SharePoint instances across on-premises, hybrid, and cloud environments.
- Confirm version numbers and cross-reference against vendor advisories for affected builds.
- Restrict network access to vulnerable instances until patches are applied or compensating controls are in place.
Days 8–14 — Patch and validate:
- Apply vendor-released patches following your change management process. Treat KEV entries as emergency-priority, not standard patch-cycle items.
- Run authenticated scans post-patching to confirm remediation.
- Review logs on FortiSandbox and SharePoint for indicators of compromise dating back at least 90 days.
Days 15–30 — Document and report:
- Record all remediation steps with timestamps — this evidence is essential for NIS2 incident reporting, SOC 2 evidence requests, and PCI DSS QSA reviews.
- Update your vulnerability management policy to reflect KEV-tier response SLAs.
- Brief your CISO and board if any exploitation indicators are found; NIS2 significant incident thresholds may trigger mandatory notification within 24–72 hours.
Start Your Free Trial — Full Platform, No Credit Card
RDS GoSOC AI maps every KEV alert directly to your active compliance frameworks — NIS2, SOC 2, ISO 27001, HIPAA, PCI DSS, and 12 more — so your team sees affected controls, remediation tasks, and evidence requirements in one place, automatically. Start your 14-day free trial at platform.reremrdsgosoc.com/register: every paid feature is unlocked from day one, no credit card required. Once inside, open the User Guide tab for a guided walkthrough, or ask Sage — the in-app AI assistant — any setup or compliance mapping question in plain language.
---
#MSP #ManagedServices #CMMC #FedRamp #CyberSecurity #SOC #SecurityOperations #MSSP #ThreatDetection #Compliance #CloudSecurity #IdentitySecurity #SecurityMonitoring #ITServices #CyberResilience #ManagedSecurity #BusinessGrowth