BVTech News — SharePoint Again, and FortiSandbox Twice: Three New KEV Entries With 3-Day Deadlines

By Jordan Polasek · July 16, 2026

Three new entries landed on CISA's Known Exploited Vulnerabilities catalog today, and all three carry the short 3-day federal remediation deadline — July 19. When CISA compresses the clock like that, it means exploitation isn't theoretical. It's happening now.

SharePoint — again

CVE-2026-58644 is a deserialization-of-untrusted-data flaw in Microsoft SharePoint. If that sounds familiar, it should: a different SharePoint bug (CVE-2026-56164, missing authentication) went on the KEV list just two days ago with the same 3-day deadline. Two actively exploited SharePoint flaws in one week tells you attackers are working the platform hard right now.

If you run SharePoint Server on-premises, patch both — today, not Friday. If you're on SharePoint Online in Microsoft 365, Microsoft patches the service for you, but this is still a good moment to review who can reach your admin surfaces.

FortiSandbox — twice in one day

CVE-2026-25089 and CVE-2026-39808 are both OS command injection flaws in Fortinet FortiSandbox. There's an uncomfortable irony here: FortiSandbox is the appliance whose whole job is detonating suspicious files safely. Today it's the thing being exploited.

This keeps happening across the industry — security appliances make attractive targets because they sit at the network edge, hold privileged positions, and often lag on patching because "it's the security box, it's fine." It is not fine. If you have FortiSandbox anywhere in your stack, apply Fortinet's fixes and check the device for signs of tampering while you're in there.

The rest of the week

The July 16 additions cap a heavy week: Oracle E-Business Suite (CVE-2026-46817) and a KNX building-automation protocol flaw were added July 15; Microsoft AD FS (CVE-2026-56155), SharePoint (CVE-2026-56164), and two SonicWall SMA1000 flaws landed July 14. That's ten actively exploited vulnerabilities in three days, most with deadlines inside a week.

What I'd do this afternoon

Federal agencies are the only ones legally bound by KEV deadlines — but the deadline lengths are CISA telling everyone how fast the house is burning. Three days means move now. If you're a Texas business and you're not sure whether any of this hardware is in your stack, that's exactly the question we answer for clients every day — ask us.