CISA's advisory this week added the SharePoint remote code execution flaw to its Known Exploited Vulnerabilities catalog, confirmed under active attack against on-premises deployments. The flaw sits in the same class Microsoft has patched three times since 2023 without closing the underlying deserialization path, and CISA's bulletin gives federal agencies until July 24 to remediate. Cisco's advisory the same week confirms exploitation of a Unified Communications Manager flaw that lets an unauthenticated attacker reach the call-processing engine directly (no vendor has assigned a public CVE number to the Cisco flaw as of this writing, which is its own kind of disclosure). Two vendors, two acknowledgments of active exploitation, in the same seven-day window, on infrastructure most HK financial institutions treat as internal and therefore outside the perimeter monitoring that HKMA's TRM guidelines assume is watching internet-facing assets.
The pattern that matters is not the count of advisories. It is that both flaws sit in systems institutions classify as "internal" for risk purposes, SharePoint as a document store, Unified CM as a phone system, and neither gets the same patch cadence or logging coverage as an internet-facing web application under MAS or HKMA scrutiny. FortiBleed's confirmed use as a ransomware pipeline across 430,000 firewalls this week makes the same point from the network edge: a vulnerability class advisories treated as credential-theft risk in April is now the delivery mechanism for encryption payloads in July. The control that would have mattered here is not a faster patch cycle. It is treating internal-facing infrastructure, call managers, document stores, firewall management planes, under the same monitoring standard as anything with a public IP, before the next KEV entry names the next system nobody was watching.