The US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Tuesday regarding the active exploitation of three vulnerabilities in on-premises SharePoint Server instances that are publicly accessible. These vulnerabilities—CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164—impact all supported self-hosted SharePoint Server versions, including the latest versions utilizing the “continuous update” model.
As detailed in CISA’s advisory, attackers have leveraged these vulnerabilities for various post-exploitation activities, including authentication bypass, remote code execution, stealing Internet Information Services (IIS) machine keys, and establishing persistence to deploy malware on compromised systems.
The cybersecurity agency has also identified two additional vulnerabilities in SharePoint Server—CVE-2026-55040 and CVE-2026-58644—which Microsoft patched on Tuesday. These flaws are considered attractive targets for attackers, although it remains unclear if they have been exploited actively.
According to Shadowserver, there are approximately 10,000 SharePoint Server instances exposed to the Internet, with over 800 still unpatched for CVE-2026-32201 and CVE-2026-45659.
Details on how many of these servers are vulnerable to CVE-2026-56164 attacks remain undisclosed.

CISA urges security teams to closely monitor affected servers for signs of exploitation. They recommend applying the latest Microsoft patches, verifying successful installations, shortening patching cycles, and enabling the Windows Antimalware Scan Interface (AMSI), which integrates with Microsoft Defender Antivirus for detecting and remediating breaches.
Additional hardening strategies include:
- Detecting and remediating intrusion artifacts before rotating IIS machine keys.
- Establishing tailored logging to monitor for anomalous activity.
- Avoiding direct exposure of SharePoint servers to the Internet unless absolutely necessary.
- Consulting Microsoft’s official security hardening guidance for SharePoint Server.
CISA also recommends blocking external access to SharePoint Central Administration and restricting farm and database communication to essential systems. If external exposure is required, it is advisable to place the server behind a Layer 7 reverse proxy or other application-layer security controls.
As part of its ongoing efforts, CISA has added the three currently exploited vulnerabilities to its known and exploited vulnerabilities catalog: April 14th (CVE-2026-32201), July 1st (CVE-2026-45659), and July 14th (CVE-2026-56164).
Federal agencies have a deadline of July 17th to secure SharePoint servers impacted by CVE-2026-56164 under Binding Operating Order (BOD) 26-04, or face a mandated shutdown if mitigations are not feasible.
Since November 2021, CISA has issued a total of 11 warnings related to Microsoft SharePoint vulnerabilities, with seven of them having been associated with ransomware attacks.
Currently, security teams successfully document 54% of attacks, but only 14% result in warnings. Many incidents remain undetected.
Picus’ whitepaper illustrates how to test SIEM and EDR rules through breach and attack simulations to ensure comprehensive threat detection.
Source: www.bleepingcomputer.com




