[Verse 1] Fourth of July, but the fireworks ain't the threat Two CVEs dropped, and the patches aren't set SharePoint Server's sitting cracked at the seam Deserialization — uglier than it seems An authorized user, already got access Sends untrusted data through the network express The server unwraps it, no question, no check Executes whatever code — remote wreck [Chorus] CVE-2026-45659 SharePoint's got a hole in the server design CVE-2026-48558 SimpleHelp's OIDC is opening the gate Two vulns, Fourth of July, patch 'em today Unauthorized code and auth bypass on the way Critical severity, no time to debate Lock it down before it's already too late [Verse 2] Now SimpleHelp's running authentication flow OIDC configured, tokens coming in slow But here's the twist — the system never verifies The identity token, just accepts the lies You submit your login, skip the proof entirely The server waves you through, acting completely blindly No attacker needs credentials, no password to crack Just a crafted token and you're in through the back [Chorus] CVE-2026-45659 SharePoint's got a hole in the server design CVE-2026-48558 SimpleHelp's OIDC is opening the gate Two vulns, Fourth of July, patch 'em today Unauthorized code and auth bypass on the way Critical severity, no time to debate Lock it down before it's already too late [Bridge] Microsoft and SimpleHelp, both shipping fixes Check your vendor bulletins, skip the remixes Deserialization means trusting the wrong input Authentication bypass means the lock has no pivot One lets code run from across the wire cold One lets strangers past the bouncer, dressed in bold Your network is the neighborhood, these are open doors Patch cycle running — go and settle the scores [Verse 3] Security team's pulling double on the holiday Two critical vulns ain't gonna patch and walk away SharePoint deployments scattered enterprise-wide SimpleHelp remote support — attackers could ride Verify your OIDC config, disable if needed Apply the Microsoft bulletin, don't leave it unheeded Untrusted data in, malicious code out That's the story of both — no room for doubt [Verse 4] Think about the SOC analyst staring at the screen Holiday skeleton crew, quietest it's been Threat actors know the timing, they love a long weekend Reduced response capacity, defenses start bending Don't let the calendar be the reason you're breached Patch windows don't care if the cookout's in reach Firewalls and updates, that's your celebration Critical severity demands your full attention [Outro] July fourth, twenty twenty-six, mark the date CVE-45659 and 48558 won't wait Deserialization, authentication gone wrong Patch your systems before they don't belong Two alerts, one holiday, zero excuses Critical vulns cost more than what a breach produces
← Canada Gazette — July 04, 2026 | IT Security News — July 04, 2026 →