← All Briefings
Briefings


The vendor said "sophisticated." The artifacts say Microsoft shipped 570 fixes in a single Patch Tuesday, and the highest-priority items on CISA's board have nothing to do with that release. CISA's July 14 advisory covers active exploitation of three SharePoint Server vulnerabilities against internet-exposed on-premises deployments, the same deployment class that carried the ToolShell chain a year earlier. Separately, Nightmare-Eclipse published a proof-of-concept called LegacyHive within hours of Patch Tuesday closing, targeting the Windows User Profile Service, meaning defenders spent July 14 triaging 570 patches while a fresh unpatched hive-manipulation bug landed on top of the pile they hadn't finished reading. Volume is not the same as coverage. A record patch count tells you what Microsoft found, not what's still being exploited on servers nobody patched from last year's list.

The pattern that matters is SharePoint Server specifically, on-premises, internet-facing, still getting hit. That's the same architecture class MOVEit and the 2025 ToolShell chain both burned through: software vendors keep shipping patches for the newly disclosed bug while the population of exposed legacy instances never shrinks, because "internet-exposed on-prem SharePoint" describes an inventory problem, not a patching one. CISA's advisory names active exploitation now, not a theoretical window. The control that changes this outcome isn't the July patch cycle. It's whoever owns the asset inventory confirming, this week, which on-premises SharePoint servers are still reachable from the internet at all.

Weak. The lede spends a full paragraph on Microsoft's 570 fixes and LegacyHive before the piece states its actual claim, that internet-exposed on-prem SharePoint is an inventory failure, not a patch-cycle failure. Cut the Patch Tuesday framing to a sentence and open on the inventory point.-- WR
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.