Skip to content
Vulnerability exploitOngoing

CISA warns of actively exploited on-premises SharePoint Server flaws (CVE-2026-56164, CVE-2026-45659, CVE-2026-32201)

CISA issued an urgent hardening alert after confirming that attackers were chaining three vulnerabilities in on-premises Microsoft SharePoint Server — including an unauthenticated missing-authentication bug the U.S. National Vulnerability Database rates critical — to reach remote code execution, steal IIS machine keys and deploy malware.

Victim
Microsoft SharePoint Server
CVECVE-2026-56164CVE-2026-45659CVE-2026-32201

On 14 July 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert warning that attackers were actively exploiting three vulnerabilities in on-premises Microsoft SharePoint Server to break into internet-facing deployments. CISA said the flaws — CVE-2026-56164, CVE-2026-45659 and CVE-2026-32201 — were being used to gain unauthorized access to SharePoint instances running the Subscription Edition, 2019 and 2016 on-premises versions, and it urged administrators to patch or harden their servers immediately.

The most serious of the three, CVE-2026-56164, is a missing-authentication flaw (CWE-306) that lets a remote, unauthenticated attacker escalate privileges over the network with no user interaction. Microsoft scored it a modest CVSS 5.3, a rating that drew broad criticism from the security community; the U.S. National Vulnerability Database independently rated it 9.8 — critical. Microsoft shipped a fix in its July 2026 Patch Tuesday, a record release addressing 622 CVEs, and CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog the same day, giving Federal Civilian Executive Branch agencies until 17 July 2026 to remediate under Binding Operational Directive 26-04.

The three flaws

The other two vulnerabilities had already been flagged. CVE-2026-45659 is a deserialization of untrusted data bug (CVSS 8.8) that lets an authenticated attacker execute arbitrary code on a vulnerable server; CISA added it to KEV on 1 July 2026. CVE-2026-32201 is an improper input validation issue that enables spoofing over a network and was catalogued back in April 2026. Chained together, the flaws give an intruder a route from network reachability toward remote code execution on the SharePoint host.

Post-exploitation and mitigation

According to CISA, the exploitation goes beyond a single break-in: after establishing remote code execution, threat actors have been observed stealing Internet Information Services (IIS) machine keys and abusing deserialization techniques to gain persistence and deploy malware — the same playbook that made earlier SharePoint mass-exploitation campaigns so damaging, because stolen machine keys let attackers forge trusted payloads and survive a simple reboot or patch. For organizations that cannot patch immediately, CISA recommends enabling the Antimalware Scan Interface (AMSI) in Full Mode on SharePoint servers so that POST request bodies are scanned before SharePoint processes them, intercepting malicious payloads in flight. With exploitation confirmed in the wild and no public attribution to a named actor at the time of disclosure, the situation remained ongoing and defenders were urged not to wait for a maintenance window.

Timeline

  1. Microsoft's July 2026 Patch Tuesday ships fixes for CVE-2026-56164, an unauthenticated SharePoint privilege-escalation flaw, as part of a record 622-CVE release.

  2. CISA adds CVE-2026-56164 to its Known Exploited Vulnerabilities catalog and publishes a hardening alert confirming active exploitation of three SharePoint flaws, setting a 17 July remediation deadline for federal civilian agencies.

  3. Security vendors and CISA warn that post-exploitation activity includes theft of IIS machine keys and deserialization abuse to gain persistence and deploy malware on compromised servers.

Sources

  1. cisa.govhttps://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations
  2. securityweek.comhttps://www.securityweek.com/cisa-urges-immediate-patching-of-exploited-sharepoint-vulnerabilities/
  3. securityweek.comhttps://www.securityweek.com/cisa-warns-of-actively-exploited-microsoft-sharepoint-vulnerability/
  4. thehackernews.comhttps://thehackernews.com/2026/07/sharepoint-rce-cve-2026-45659-added-to.html
  5. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/cisa-warns-admins-to-patch-actively-exploited-sharepoint-flaws/
  6. helpnetsecurity.comhttps://www.helpnetsecurity.com/2026/07/15/microsoft-patch-tuesday-sharepoint-cve-2026-56164/
  7. csoonline.comhttps://www.csoonline.com/article/4197775/cisa-urges-immediate-sharepoint-hardening-as-exploits-mount.html

Related incidents