Cybersecurity Brief
Actively exploited Microsoft SharePoint RCE and Cisco Unified CM vulns
Today’s reporting is dominated by a clear operational pattern: high-severity enterprise vulnerabilities are moving from patch status to active exploitation. CISA warns that a Microsoft SharePoint RCE flaw patched in May is now being exploited, and Cisco confirms attackers are exploiting a Unified Communications Manager (Unified CM) flaw patched in early June. For cybersecurity leadership, this increases the likelihood of near-term compromise waves against internet-reachable enterprise services and elevates urgency for rapid detection and patch validation.
Complementing the vulnerability/exploitation picture, the FBI seizure of NetNut infrastructure associated with the Popa botnet highlights sustained monetization and infrastructure availability for cybercrime (notably via proxy services). Separately, the emergence of a Microsoft 365-focused phishing PhaaS platform affiliated with EvilTokens suggests continued scaling of credential and workflow compromise through service-based attacker tooling. Together, these signals point to immediate defensive priorities: accelerate patching and exposure management for SharePoint/Unified CM, and strengthen defenses against proxy-facilitated activity and Microsoft 365 phishing workflows.
Top Signals
1. Microsoft SharePoint RCE is now actively exploited
Signal strength: Early
Actively exploited RCE in SharePoint increases the probability of rapid, automated compromise of internet-facing collaboration environments. Executives should expect intensified incident risk and prioritize patch verification, exposure controls, and detection tuning for exploitation attempts.
Supporting evidence
- CISA: Microsoft SharePoint RCE flaw now actively exploited — BleepingComputer, 2026-07-02. CISA states attackers have begun exploiting the high-severity SharePoint remote code execution flaw patched in May, indicating a shift to ongoing real-world threat activity.
2. Cisco Unified CM exploitation confirmed post-patch
Signal strength: Early
Confirmed exploitation of a Unified CM flaw indicates threat actors can quickly weaponize enterprise communications infrastructure after patches are released. This raises operational urgency for patching, configuration hardening, and monitoring of Unified Communications Manager–related indicators.
Supporting evidence
- Cisco finally confirms attackers exploiting Unified CM flaw — BleepingComputer, 2026-07-02. Cisco confirms attackers are exploiting a Unified CM vulnerability patched in early June, signaling continued active targeting of voice/communications systems.
3. Enterprise service compromise remains enabled by scalable phishing PhaaS
Signal strength: Early
A Microsoft 365 phishing toolkit delivered via a new phishing-as-a-service platform suggests attackers can rapidly deploy workflows that target identity and productivity platforms. This increases exposure for organizations with widespread M365 usage and elevates the need for phishing-resistant controls and rapid response to credential/workflow abuse.
Supporting evidence
- ARToken PhaaS exposes EvilTokens’ Microsoft 365 phishing toolkit — BleepingComputer, 2026-07-03. Reporting describes a new PhaaS platform associated with EvilTokens and a toolkit designed to compromise Microsoft 365, indicating continued scaling of phishing operations focused on M365 environments.
4. Proxy and botnet infrastructure continues to support cybercrime monetization
Signal strength: Early
Even with takedown action, the seizure of proxy infrastructure tied to a large botnet underscores how attackers rely on residential proxy services to obscure malicious traffic and sustain campaigns. Executives should anticipate follow-on infrastructure changes and ensure that network egress, authentication anomalies, and proxy-pattern detection are robust.
Supporting evidence
- FBI Seizes NetNut Proxy Platform, Popa Botnet — Krebs on Security, 2026-07-02. The FBI seizure targets hundreds of domains tied to NetNut, a residential proxy service, which was connected to the Popa botnet comprised of at least two million compromised devices.
Supporting Stories
- Alleged Scattered Spider hacker extradited to the United States — BleepingComputer
Sources
- CISA: Microsoft SharePoint RCE flaw now actively exploited — BleepingComputer
- Cisco finally confirms attackers exploiting Unified CM flaw — BleepingComputer
- ARToken PhaaS exposes EvilTokens’ Microsoft 365 phishing toolkit — BleepingComputer
- FBI Seizes NetNut Proxy Platform, Popa Botnet — Krebs on Security
- Alleged Scattered Spider hacker extradited to the United States — BleepingComputer