Skip to main content
Emerging Threats

CISA Warns of Actively Exploited SharePoint Vulnerabilities

Government officials gather in a briefing room for a warning about exploited Microsoft SharePoint server vulnerabilities.

“622 bugs” is the number that framed this month’s Patch Tuesday — and one of those 622, CVE-2026-56164, is now part of a trio of SharePoint flaws that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) says are being actively exploited.

The exploited trio: CVE-2026-32201, CVE-2026-45659, CVE-2026-56164

CISA singled out three vulnerabilities affecting supported on-premises SharePoint Server installations. The first is CVE-2026-32201 (severity 6.5), a spoofing bug Microsoft disclosed in March and which CISA confirmed was being actively exploited in June. The second, CVE-2026-45659 (8.8), is a remote code execution flaw that Microsoft disclosed in June and which CISA said was confirmed as being actively used in attacks the week before this advisory, despite Microsoft earlier labelling exploitation as “less likely.” The third is CVE-2026-56164 (5.3), a privilege escalation vulnerability that appeared among the 622 fixes released during this month’s record Patch Tuesday.

Post-exploitation activity: IIS key theft and deserialization techniques

CISA emphasized that the exploited bugs are tied to post-exploitation techniques. The agency said activity associated with these vulnerabilities includes theft of Internet Information Services (IIS) machine keys and deserialization techniques — both methods aimed at gaining persistence on compromised systems and deploying malware. CISA did not provide further technical details about the incidents that prompted the advisory, but the agency’s characterization places these flaws in the context of follow-on attacker activity rather than one-shot disruption.

Patch Tuesday pairs that could complicate defenses: CVE-2026-55040 and CVE-2026-58644

Beyond the three already exploited flaws, CISA also pointed to two critical Patch Tuesday bugs that Microsoft has flagged as carrying an “Exploitation More Likely” designation. Neither CVE-2026-55040 (9.1) nor CVE-2026-58644 (9.8) is currently being exploited, CISA said, but their severity and Microsoft’s classification mean they could complicate SharePoint security if attackers turn to them in the near term.

ToolShell chain and Warlock ransomware: earlier CISA guidance and Microsoft context

CISA asked defenders to revisit an alert the agency published in August 2025 that urged organizations to harden SharePoint against “ToolShell” attacks. In that prior advisory, CISA described attackers chaining CVE-2025-49706 (6.5) and CVE-2025-49704 (8.8) to break into SharePoint Servers and, in some instances, deploy Warlock ransomware. In the current advisory CISA stopped short of attributing the newly referenced activity to any actor or country. Microsoft, however, stated in July 2025 that ToolShell vulnerabilities had been exploited by Chinese nation-state crews.

What this means for technologists, procurement leaders, and policymakers

  • Technologists and security teams: CISA’s immediate recommendations are operational: apply Microsoft’s latest security patches; verify that Antimalware Scan Interface (AMSI) integration is enabled for every SharePoint web application; threat-hunt for signs of intrusion before rotating IIS keys; avoid exposing SharePoint to the web unless necessary; and block external access to SharePoint Central Administration. CISA also urged implementation of robust, tailored logging capable of detecting potential exploit attempts.
  • Procurement leaders and affected enterprises: Organizations that run supported on-premises SharePoint Server must prioritize patch deployment and configuration checks. The presence of both actively exploited CVEs and high-severity “Exploitation More Likely” CVEs in the same Patch Tuesday cycle increases the operational urgency around testing and rolling out updates.
  • Policymakers and regulators: A federal cybersecurity agency’s public advisory underlines the systemic risk posed by exploited collaboration-platform flaws; CISA’s guidance to harden configurations and to use logging and threat hunting will be the key compliance and oversight touchpoints in any follow-on guidance or incident reporting requirements.

CISA’s notice is both a technical red flag and a procedural nudge: the agency is asking organizations to assume compromise, to look for indicators before changing IIS keys, and to restrict administrative access where possible. With two high-severity Patch Tuesday bugs flagged as “Exploitation More Likely” and three SharePoint vulnerabilities already tied to active exploitation and post-breach persistence techniques, the practical choice is immediate patching and validation of defensive controls — not debate over attribution. The remaining operational question is how quickly organizations with on-premises SharePoint will act on CISA’s checklist.

Original story: CISA sounds alarm over trio of exploited SharePoint flaws — The Register