CISA Issues Urgent Warning on Actively Exploited SharePoint Server Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory warning that attackers are actively exploiting three vulnerabilities in on-premises Microsoft SharePoint Server instances. These flaws allow threat actors to bypass authentication, execute remote code, and maintain persistence within compromised networks. Organizations are urged to audit their environments and apply patches immediately to prevent unauthorized access and potential malware deployment.
Vulnerabilities Currently Under Active Exploitation
CISA has confirmed that three specific vulnerabilities are being used in the wild to target self-hosted SharePoint Server versions. According to the CISA advisory, these include:
- CVE-2026-32201: Added to the Known Exploited Vulnerabilities (KEV) Catalog on April 14.
- CVE-2026-45659: Added to the KEV Catalog on July 1.
- CVE-2026-56164: Added to the KEV Catalog on July 14.
Attackers are leveraging these security gaps to steal Internet Information Services (IIS) machine keys, which facilitates deeper intrusion. By gaining this level of access, malicious actors can establish long-term persistence and deploy secondary malware payloads across the affected infrastructure.
Patching Requirements and Federal Deadlines
The urgency of these threats has prompted federal action. Under Binding Operational Directive (BOD) 26-04, all U.S. federal agencies must secure their SharePoint servers against CVE-2026-56164 by July 17. If an agency cannot apply the necessary security mitigations, the directive mandates the immediate disconnection of the affected servers from the network.
Beyond these three, Microsoft has also released patches for two additional vulnerabilities—CVE-2026-55040 and CVE-2026-58644. While these have not yet been reported as exploited in the wild, CISA identifies them as highly attractive targets for attackers and recommends immediate remediation.
Security Hardening Recommendations
Security teams should move beyond simple patching to harden their SharePoint environments. CISA and security researchers suggest the following defensive measures:

- Verify Patch Integrity: Ensure that all Microsoft-issued updates are correctly installed and verified across the entire server farm.
- Restrict Exposure: Avoid exposing SharePoint Central Administration to the internet. Where internet access is unavoidable, place servers behind a Layer 7 reverse proxy or application-layer security control.
- Implement Advanced Monitoring: Enable Windows Antimalware Scan Interface (AMSI) integration for SharePoint web applications and utilize Microsoft Defender Antivirus (MDAV) for real-time detection.
- Rotate Credentials: Hunt for intrusion artifacts, such as unauthorized configuration changes, before rotating IIS machine keys to ensure attackers are not using cached credentials.
- Limit Network Communication: Restrict farm and database communication to only those systems that absolutely require it to function.
Current Threat Landscape
The scale of the risk is substantial. Data from the internet security watchdog group Shadowserver indicates that nearly 10,000 Microsoft SharePoint servers are currently exposed to the public internet. Of those, over 800 are confirmed to be unpatched against the CVE-2026-32201 and CVE-2026-45659 vulnerabilities.
Since November 2021, CISA has tracked 11 distinct Microsoft SharePoint vulnerabilities that have been leveraged in active cyberattacks. Notably, seven of those historical vulnerabilities were subsequently utilized in ransomware campaigns, highlighting the importance of timely remediation to prevent data exfiltration and extortion attempts.
Keep reading