Skip to main content
Emerging Threats

CISA Warns of Actively Exploited SharePoint Flaws

Government official stands before large screen displaying warning message about exploited system vulnerabilities.

Shadowserver currently tracks nearly 10,000 Internet-exposed Microsoft SharePoint servers, and more than 800 of those remain unpatched against two of the flaws CISA says attackers are already exploiting: CVE-2026-32201 and CVE-2026-45659.

CISA adds three SharePoint CVEs to Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Tuesday that attackers are actively exploiting three vulnerabilities in Internet-exposed, on‑premises SharePoint Server instances: CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. CISA added those bugs to its Known Exploited Vulnerabilities Catalog on April 14 (CVE-2026-32201), July 1 (CVE-2026-45659), and July 14 (CVE-2026-56164).

CISA also flagged two additional SharePoint Server vulnerabilities — CVE-2026-55040 and CVE-2026-58644 — which Microsoft patched on Tuesday and labeled as attractive targets for attackers, although CISA says those two are not yet known to have been exploited in the wild.

How the flaws are being used: bypass, remote code execution, persistence

According to CISA's advisory, attackers are exploiting the three active CVEs to bypass authentication, gain remote code execution and conduct post‑exploitation activity. Post‑exploitation techniques called out by the agency include stealing Internet Information Services (IIS) machine keys and obtaining persistence to deploy malware on compromised systems.

Scope of exposed and unpatched systems

The advisory cites Shadowserver data showing nearly 10,000 SharePoint servers exposed to the Internet. Of those, more than 800 were identified as unpatched against CVE-2026-32201 and CVE-2026-45659; CISA notes there is no available detail on how many of the tracked systems are vulnerable to CVE-2026-56164 or how many may be honeypots.

CISA also placed the new additions in the context of a longer trend: since November 2021 the agency has flagged 11 Microsoft SharePoint vulnerabilities that have been exploited in attacks, with seven of those also exploited in ransomware operations.

Concrete mitigations CISA recommends

CISA’s guidance is operational and prescriptive. Key actions the agency urges include:

  • Apply Microsoft’s latest SharePoint patches and verify successful installation.
  • Shorten patching cycles and closely monitor affected servers for signs of exploitation.
  • Enable Windows Antimalware Scan Interface (AMSI) integration for SharePoint web applications and use Microsoft Defender Antivirus (MDAV) detections to identify and remediate compromise.
  • Hunt for and remediate intrusion artifacts before rotating IIS machine keys.
  • Establish tailored logging to detect anomalous behavior, block external access to SharePoint Central Administration, and restrict farm and database communication to required systems only.
  • Avoid direct Internet exposure of SharePoint servers unless necessary; where exposure is required, place servers behind a Layer 7 reverse proxy or similar application‑layer security control.
  • Review Microsoft’s official SharePoint Server security‑hardening guidance.

What this means for federal agencies, security teams, and administrators

Federal agencies: under Binding Operational Directive (BOD) 26‑04, federal agencies have until July 17 to secure SharePoint servers affected by CVE-2026-56164 or discontinue them if mitigations cannot be applied.

Security teams: CISA’s advisory stresses active monitoring and rapid patch verification. The advisory also underscores the detection challenge: the source notes security teams log 54% of successful attacks but alert on only 14%, highlighting the potential for intrusions to move unseen through environments unless detections and response are tuned.

Administrators of on‑premises SharePoint Server (including SharePoint Server Subscription Edition): immediate patching and hardening are the priority; where direct Internet exposure cannot be removed, administrators are asked to implement proxying, tighter network restrictions, and AMSI/MDAV protections to reduce risk of abuse and post‑exploit persistence.

These advisories arrive amid repeated exploitation of SharePoint flaws in recent years and a clear directive to act quickly: the three CVEs now on CISA’s catalog are tied to active malicious use, Microsoft has issued patches including for two additional non‑exploited but “attractive” flaws, and Shadowserver’s scans show a large surface of Internet‑exposed servers. Administrators who cannot apply mitigations immediately face an explicit federal deadline and a heightened operational risk if they continue to expose SharePoint to the Internet.

Source