CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency issued a warning on Tuesday regarding active exploitation of three critical vulnerabilities in on-premises SharePoint Server deployments. These flaws, designated as CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, impact all supported self-hosted versions of SharePoint Server, including the Subscription Edition, which operates under a continuous update model.
Vulnerabilities and Their Impact
According to a published advisory, malicious actors are leveraging these weaknesses to circumvent authentication protocols, achieve remote code execution, and perform post-exploitation tasks such as extracting Internet Information Services machine keys and establishing persistent access for malware deployment.
Microsoft’s Patch and Additional Vulnerabilities
Microsoft addressed two additional SharePoint Server vulnerabilities, CVE-2026-55040 and CVE-2026-58644, in a patch released on Tuesday. While these flaws are considered high-value targets for attackers, there is no evidence they have been exploited in real-world scenarios.
Shadowserver’s Findings
Shadowserver, an internet security monitoring organization, reports that nearly 10,000 SharePoint servers are publicly accessible online, with over 800 remaining unpatched against CVE-2026-32201 and CVE-2026-45659. The status of these servers regarding CVE-2026-56164 or potential honeypot configurations remains unclear.
CISA’s Security Recommendations
CISA advised organizations to implement enhanced security measures to mitigate risks. This includes monitoring affected systems for signs of intrusion, removing malicious artifacts before rotating IIS machine keys, configuring detailed logging to detect unusual activity, and minimizing direct internet exposure of SharePoint servers unless absolutely necessary. Additional recommendations include restricting access to SharePoint Central Administration, limiting farm and database communications to essential systems, and deploying Layer 7 reverse proxies or similar application-layer protections for servers that must remain online.
Known Exploited Vulnerabilities Catalog
The three actively exploited vulnerabilities were added to CISA’s Known Exploited Vulnerabilities Catalog on specific dates: April 14 for CVE-2026-32201, July 1 for CVE-2026-45659, and July 14 for CVE-2026-56164. Federal agencies are required to address CVE-2026-56164 by July 17 under Binding Operational Directive 26-04 or decommission affected systems if remediation is not feasible.
Historical Context and Proactive Measures
Since November 2021, CISA has identified 11 SharePoint-related vulnerabilities exploited in attacks, with seven of these also linked to ransomware incidents. Organizations are urged to prioritize proactive security assessments and adhere to Microsoft’s guidance for hardening SharePoint Server environments. The advisory underscores the importance of timely patching and layered defense strategies to prevent exploitation of these critical flaws.
