2 min read

CISA urges urgent patching of exploited SharePoint bugs

CISA says three SharePoint Server flaws are under active attack and orders federal agencies to patch or pull vulnerable systems this week.

Image: BleepingComputer

CISA: Three SharePoint Server bugs under active attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server deployments.

The flaws — CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 — impact all supported self-hosted SharePoint Server versions, including SharePoint Server Subscription Edition, which follows a “continuous update” model.

What attackers are doing

According to CISA’s Tuesday advisory, threat actors are chaining these bugs to:

Recommended reading

Mira Murati’s lab unveils Inkling, a 975B open model

  • Bypass authentication
  • Achieve remote code execution (RCE)
  • Conduct post-exploitation activity, including:
  • Stealing Internet Information Services (IIS) machine keys
  • Gaining persistence to deploy malware on compromised systems

CISA has added the three actively exploited CVEs to its Known Exploited Vulnerabilities Catalog on:

  • April 14 – CVE-2026-32201
  • July 1 – CVE-2026-45659
  • July 14 – CVE-2026-56164

Two more high‑risk SharePoint vulnerabilities

The agency also flagged two additional SharePoint Server vulnerabilities, CVE-2026-55040 and CVE-2026-58644.

Microsoft released patches for these two issues on Tuesday and tagged them as attractive targets for attackers, although no in-the-wild exploitation is currently known.

Exposure on the public internet

Internet security watchdog Shadowserver is tracking nearly 10,000 Internet-exposed Microsoft SharePoint servers.

More than 800 of these are currently unpatched against CVE-2026-32201 and CVE-2026-45659. There is no public data yet on how many are vulnerable to CVE-2026-56164 or how many of the observed instances are honeypots.

CISA’s guidance for defenders

CISA is urging admins and security teams to:

  • Apply Microsoft’s latest patches and verify successful installation
  • Shorten patching cycles for SharePoint Server
  • Enable Windows Antimalware Scan Interface (AMSI) integration for SharePoint web applications
  • Use Microsoft Defender Antivirus (MDAV) detections to identify and remediate compromises

Additional hardening steps recommended by CISA include:

  • Hunting for and remediating intrusion artifacts before rotating IIS machine keys
  • Setting up tailored logging to spot anomalous activity
  • Avoiding direct internet exposure of SharePoint servers unless strictly necessary
  • Reviewing Microsoft’s official SharePoint Server security-hardening guidance
  • Blocking external access to SharePoint Central Administration
  • Restricting farm and database communication to only required systems
  • Where exposure is required, placing servers behind a Layer 7 reverse proxy or similar application-layer security control

Federal deadline: July 17

Under Binding Operational Directive (BOD) 26-04, U.S. federal agencies have until July 17 to secure SharePoint servers affected by CVE-2026-56164.

Systems must be patched by that date or discontinued if mitigations cannot be applied.

Since November 2021, CISA says it has flagged 11 Microsoft SharePoint vulnerabilities that have been exploited in attacks, with 7 of those also used in ransomware operations. That history is now colliding with another set of unpatched, internet-facing collaboration servers.

Ava Chen

AI Editor

Ava covers the rapidly evolving world of artificial intelligence, from foundational models and research labs to the real-world economics of intelligence. With a background in computational linguistics, she cuts through the hype to find out what actually works. She firmly believes that benchmarks are just marketing until reproduced in the wild.

via BleepingComputer

// Keep reading