The vendor said "sophisticated." The artifacts say Microsoft shipped 570 fixes in a single Patch Tuesday, and the highest-priority items on CISA's board have nothing to do with that release. CISA's July 14 advisory covers active exploitation of three SharePoint Server vulnerabilities against internet-exposed on-premises deployments, the same deployment class that carried the ToolShell chain a year earlier. Separately, Nightmare-Eclipse published a proof-of-concept called LegacyHive within hours of Patch Tuesday closing, targeting the Windows User Profile Service, meaning defenders spent July 14 triaging 570 patches while a fresh unpatched hive-manipulation bug landed on top of the pile they hadn't finished reading. Volume is not the same as coverage. A record patch count tells you what Microsoft found, not what's still being exploited on servers nobody patched from last year's list.
The pattern that matters is SharePoint Server specifically, on-premises, internet-facing, still getting hit. That's the same architecture class MOVEit and the 2025 ToolShell chain both burned through: software vendors keep shipping patches for the newly disclosed bug while the population of exposed legacy instances never shrinks, because "internet-exposed on-prem SharePoint" describes an inventory problem, not a patching one. CISA's advisory names active exploitation now, not a theoretical window. The control that changes this outcome isn't the July patch cycle. It's whoever owns the asset inventory confirming, this week, which on-premises SharePoint servers are still reachable from the internet at all.