Executive Summary

A leading commercial bank in Kenya operates a network of 14 branches and serves over 180,000 retail and SME customers through online and mobile banking platforms. After Microsoft disclosed an actively exploited SharePoint Server zero-day vulnerability as part of a record 169-CVE patch release, the bank's internal IT team discovered they had three internet-facing SharePoint instances running unpatched builds - two of which held sensitive loan origination documents and Know Your Customer (KYC) records. DRONGO's Security Operations Centre (SOC) was engaged on an emergency basis, identified active reconnaissance activity against the bank's perimeter within 90 minutes of onboarding, and fully contained and remediated the exposure within a single business day. The bank avoided a regulatory breach under the Central Bank of Kenya's (CBK) Cybersecurity Guidance and preserved the trust of its customer base.

The Challenge

The bank had invested steadily in its core banking infrastructure over the preceding three years - upgrading its mobile app, rolling out agency banking terminals in peri-urban areas, and integrating with Kenya's national payment rails. Security, however, had not kept pace with that growth.

The internal IT team of six managed everything from helpdesk tickets to server maintenance. Patch management was informal: updates were applied "when time allowed," and there was no centralised asset inventory that tracked software versions across all branch environments. Two of the three vulnerable SharePoint servers had not received a security patch in over seven months.

When the Microsoft zero-day - tracked as CVE-2026-32201, an Improper Input Validation flaw in SharePoint Server that allows remote code execution - was added to CISA's Known Exploited Vulnerabilities (KEV) Catalog, the bank's IT manager saw the news but had no immediate way to confirm whether their own instances were exposed or already being targeted.

The stakes were significant. The SharePoint environment stored loan approval workflows, scanned KYC documents including national ID copies and financial statements, and internal policy documents. A successful breach would trigger mandatory CBK incident notification within 24 hours, potential suspension of the bank's digital banking licence, and reputational damage in a market where customer trust is a primary competitive differentiator.

The bank needed expert eyes immediately - not in three weeks when a procurement process could conclude.

The Solution

DRONGO's SOC team was activated under an emergency retainer agreement within two hours of the initial call. The engagement ran in three sequential phases over 72 hours.

Phase 1: Rapid Exposure Assessment (Hours 0 to 4)

The DRONGO team began with an emergency external attack surface scan targeting the bank's registered IP ranges and domains. Within 90 minutes, the scan confirmed all three SharePoint instances were internet-accessible and fingerprinted as running build versions predating the critical patch. More urgently, the team's threat intelligence feeds - cross-referenced against the CISA KEV Catalog and active honeypot data - showed that automated exploit scanners had already indexed two of the three servers. Inbound probe traffic consistent with CVE-2026-32201 exploitation attempts was visible in server logs the bank had not been actively monitoring.

The team immediately recommended and coordinated taking the two most exposed servers offline for emergency patching, replacing public access with a maintenance holding page. The third server, used only for internal branch access, was isolated at the network firewall level within 30 minutes.

Phase 2: Patch Deployment and Hardening (Hours 4 to 24)

DRONGO's engineers worked alongside the bank's IT team to apply Microsoft's emergency cumulative update across all three SharePoint instances. Patch deployment alone was not sufficient. The team conducted a configuration hardening exercise against each server, disabling unnecessary remote service endpoints, enforcing multi-factor authentication on the SharePoint admin console, and removing three dormant service accounts that carried excessive permissions - a classic privilege escalation vector.

A forensic log review covering the previous 30 days was completed in parallel. No evidence of successful code execution or lateral movement was found. The reconnaissance probes had been detected and contained before any payload was delivered.

Phase 3: Structural Vulnerability Management (Days 2 to 30)

DRONGO deployed a lightweight agent-based asset inventory tool across the bank's 14 branches, generating the first complete software version map the IT team had ever had. A vulnerability management policy was drafted, aligned to the CBK Cybersecurity Guidance framework and ISO 27001 Annex A controls, establishing a 72-hour SLA for critical patch deployment and a 14-day SLA for high-severity patches going forward.

The bank also enrolled in DRONGO's continuous threat monitoring service, giving the SOC team 24/7 visibility into the bank's perimeter, with automated alerting tied to the CISA KEV Catalog for any future vulnerabilities affecting known assets.

The Results

The intervention produced measurable, documented outcomes across security posture, operational efficiency, and regulatory standing.

  • Zero data loss: Forensic analysis confirmed no customer records, KYC documents, or financial data was accessed or exfiltrated during the exposure window.
  • 4-hour containment: From SOC onboarding to full network isolation of all vulnerable assets - a response window that would have been impossible without 24/7 external monitoring capability.
  • 317 unmanaged software assets identified: The branch-wide asset inventory uncovered 317 previously untracked software installations across endpoint and server infrastructure, 41 of which carried outstanding high or critical CVEs unrelated to the SharePoint incident.
  • CBK compliance maintained: Because no breach occurred and the bank could demonstrate documented, timely response actions, there was no mandatory CBK incident notification obligation triggered. Audit documentation from the engagement was filed with the board's risk committee as evidence of proactive governance.
  • 68% reduction in patch lag: Within 60 days of the engagement, average time-to-patch for critical vulnerabilities across the bank's environment dropped from over 90 days to under 29 days.

"We knew we had gaps, but we didn't know exactly where they were or how exposed we already were. What DRONGO gave us in those first four hours was clarity - and that clarity is what kept this from becoming a very different story. We now have a visibility into our own environment that we've never had before."

- Head of IT, Leading Commercial Bank, Nairobi

Key Takeaways

  • Patch lag is your biggest unmanaged risk. In 2025, actively exploited CVEs move from disclosure to widespread exploitation in hours, not weeks. A 90-day average patch cycle - common across East African financial institutions - is functionally equivalent to leaving a door unlocked. Every CBK-regulated institution should have a documented, enforced patch management SLA.
  • You cannot protect what you cannot see. The bank's 317 untracked software assets were not an anomaly - they are standard for any organisation that has grown without a formal IT asset management process. A complete, continuously updated asset inventory is the foundation of every other security control.
  • External monitoring fills the gap that internal teams cannot. A six-person IT team managing 14 branches, a mobile app, and daily operations cannot also maintain 24/7 threat detection. An external SOC does not replace your IT team - it gives them the intelligence to act on what matters.
  • Regulatory compliance is a byproduct of good security practice. The bank avoided a CBK notification obligation because it acted fast and documented everything. Compliance is not a separate workstream - it is the paper trail that good security hygiene naturally produces.

Facing similar challenges? Let's discuss how we can help.