Three SharePoint vulnerabilities are already under active exploitation, and CISA is warning that two more critical flaws could widen the damage for organizations still running supported Microsoft SharePoint Server on-premises.

Hackers Exploit SharePoint Server Flaws, CISA Warns
XOOMAR Intelligence
Analyst Take
The alert matters because this is not a theoretical patch notice. CISA is telling defenders that attackers are already using three flaws tied to remote code execution, persistence, malware deployment, and theft of Internet Information Services (IIS) machine keys, according to The Register Security. For server teams, that shifts SharePoint from a normal maintenance item into an intrusion-response problem.
CISA's SharePoint alert turns Patch Tuesday into an emergency server problem
The warning applies to all supported on-premises SharePoint Server versions, including Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016, based on related reporting from Windows Report. CISA singled out three exploited bugs:
- CVE-2026-32201: a spoofing flaw rated 6.5, disclosed by Microsoft in March and confirmed by CISA as actively exploited in June.
- CVE-2026-45659: an RCE flaw rated 8.8, made public in June and confirmed as actively exploited last week after Microsoft had assessed exploitation as “less likely.”
- CVE-2026-56164: a privilege escalation flaw rated 5.3, included in this month’s record Patch Tuesday release covering 622 bugs.
Two more SharePoint issues are not yet reported as exploited, but CISA still highlighted them: CVE-2026-55040, rated 9.1, and CVE-2026-58644, rated 9.8. Microsoft labeled both “Exploitation More Likely.”
That combination is the pressure point. Three flaws are already in attacker hands. Two more are high-severity candidates for the next wave if defenders lag.
“These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware,” CISA warned, according to SecurityWeek.
The exploited SharePoint vulnerabilities point to persistence, not just entry
CISA’s phrasing is important. The agency did not only say attackers can exploit bugs. It said the exploited SharePoint vulnerabilities are associated with post-exploitation activity, including IIS machine key theft and deserialization techniques.
That means defenders should not treat this as a simple “patch and move on” event. XOOMAR analysis: once CISA references persistence and malware deployment, the practical question becomes whether attackers are already inside, not whether a server is merely vulnerable.
The likely defensive sequence is therefore stricter than a normal patch run:
- Inventory: Identify every supported on-premises SharePoint Server instance.
- Patch: Apply Microsoft’s latest security updates and confirm completion.
- Validate AMSI: Verify Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application, with Full Mode where possible.
- Hunt first: Look for signs of compromise before rotating IIS machine keys.
- Reduce exposure: Avoid exposing SharePoint to the web unless necessary.
- Lock down admin paths: Block external access to SharePoint Central Administration.
- Log for exploitation: Use tailored logging that can detect exploit attempts and unusual activity.
That order matters. Rotating keys after an undetected intrusion may not solve the persistence problem if attackers still have access through another path.
Three exploited bugs, two critical additions, and a shrinking patch window
The data in CISA’s warning is compact, but it tells defenders where to focus first.
| CVE | Score | Type | Status from source material |
|---|---|---|---|
| CVE-2026-32201 | 6.5 | Spoofing | Actively exploited, disclosed in March, CISA confirmed exploitation in June |
| CVE-2026-45659 | 8.8 | Remote code execution | Actively exploited, made public in June, active use confirmed last week |
| CVE-2026-56164 | 5.3 | Privilege escalation | Actively exploited, included in this month’s Patch Tuesday |
| CVE-2026-55040 | 9.1 | Critical SharePoint flaw | Not known to be exploited, labeled “Exploitation More Likely” |
| CVE-2026-58644 | 9.8 | Critical SharePoint flaw | Not known to be exploited, labeled “Exploitation More Likely” |
CISA has added CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 to its Known Exploited Vulnerabilities catalog, according to Windows Report. SecurityWeek also reported that federal agencies were urged to patch CVE-2026-56164 within three days, in line with the referenced CISA requirement.
Private-sector organizations do not face the same federal mandate, but the signal is still clear. A KEV listing means confirmed exploitation, not vendor speculation.
For teams tracking exposure, the useful internal metrics are practical: how many SharePoint servers exist, which versions they run, whether any are internet-facing, which patches succeeded, which logs have been reviewed, and whether suspicious authentication or malware alerts appeared after exploitation became known. XOOMAR’s related coverage, Exploited SharePoint Vulnerabilities Trigger 3-Day Race, is relevant for teams organizing around emergency remediation windows.
Microsoft admins and attackers are working against different clocks
Administrators have to patch production systems without breaking business use. Attackers only need one reachable, unpatched target.
That mismatch is why CISA’s SharePoint warning lands hard. XOOMAR analysis: the technical severity scores matter, but exploitation status matters more. A lower-scored bug that is actively exploited can be more urgent than a higher-scored flaw still sitting in the “more likely” category.
For CISOs, the tradeoff is blunt. Planned downtime is visible and unpopular. A compromise involving persistence, malware, and stolen IIS machine keys is worse because it can force incident response, credential rotation, forensic review, and broader containment work.
Regulators and public-sector security teams will read the alert as a clear instruction to move faster than the next maintenance window. Attackers will read the same advisory differently: it identifies a widely used product family where defenders may be slow because patching on-premises server software is operationally sensitive.
For broader incident-response context, XOOMAR’s Hackers Steal Records in Partnered Health Cyber Attack shows why intrusion handling can become a business issue once attackers move from exploiting systems to accessing records.
ToolShell is the warning CISA wants SharePoint teams to remember
CISA did not provide more detail about what specifically triggered the latest warning. Instead, it pointed defenders back to an August 2025 alert about hardening SharePoint against ToolShell attacks.
That earlier alert said attackers chained CVE-2025-49706, rated 6.5, and CVE-2025-49704, rated 8.8, to break into SharePoint Servers. In some cases, CISA said attackers deployed Warlock ransomware.
CISA did not attribute either SharePoint advisory to a group or country. Microsoft, however, said in July 2025 that ToolShell vulnerabilities were being exploited by Chinese nation-state crews.
The relevant lesson is narrow and evidence-based: CISA has now linked SharePoint exploitation to chaining behavior, persistence techniques, IIS key theft, malware deployment, and, in the prior ToolShell case, ransomware. That is enough to justify treating exposed on-premises SharePoint as high-priority attack surface.
The next proof point is whether defenders find intrusions before attackers reuse access
The immediate playbook is not complicated, but it is unforgiving. Patch SharePoint. Confirm AMSI coverage. Hunt for compromise before rotating IIS machine keys. Remove unnecessary internet exposure. Block external access to Central Administration. Strengthen logging around exploitation signals.
The unresolved tension is whether organizations can do that faster than attackers can reuse working techniques across unpatched servers.
Evidence that would confirm the risk thesis: more KEV additions, new malware reports tied to SharePoint exploitation, or CISA expanding its guidance beyond the current set of CVEs. Evidence that would weaken it: successful patch uptake, few confirmed intrusions after remediation, and no observed exploitation of CVE-2026-55040 or CVE-2026-58644.
For now, the safe assumption is simple: if an organization still depends on on-premises SharePoint, it needs emergency change capacity, active monitoring, and a tested incident-response plan. Treating SharePoint as boring back-office plumbing is the mistake attackers are counting on.
Impact Analysis
- CISA says attackers are already exploiting three SharePoint flaws, turning patching into an urgent incident-response priority.
- The affected systems include supported on-premises SharePoint Server versions, including Subscription Edition, 2019, and 2016.
- Two additional critical flaws rated 9.1 and 9.8 could expand the threat if organizations delay remediation.
SharePoint vulnerabilities highlighted by CISA
| Vulnerability | Issue type | Status | Severity score |
|---|---|---|---|
| CVE-2026-32201 | Spoofing | Actively exploited | 6.5 |
| CVE-2026-45659 | Remote code execution | Actively exploited | 8.8 |
| CVE-2026-56164 | Privilege escalation | Actively exploited | 5.3 |
| CVE-2026-55040 | Not specified | Exploitation more likely | 9.1 |
| CVE-2026-58644 | Not specified | Exploitation more likely | 9.8 |
SharePoint flaw severity scores
Sources
Written by
XOOMAR Insights Team
Research and Editorial Desk
The XOOMAR Insights Team pairs automated research with human editorial judgment. We track hundreds of sources across technology, fintech, trading, SaaS, and cybersecurity, cross-check the facts, and explain what happened, why it matters, and what to watch next. We do not just rewrite headlines. Every article is fact-checked and scored for reliability before it goes live, and we link back to the original sources so you can verify anything yourself.
Explore More Topics
Related Articles
CybersecurityExploited SharePoint Vulnerabilities Trigger 3-Day Race
CISA says three exploited SharePoint flaws are under attack, with agencies facing a 3-day patch deadline for CVE-2026-56164.
CybersecurityCISA Orders 3-Day Patch for SharePoint Vulnerability
CISA says attackers are exploiting a SharePoint RCE flaw, giving federal agencies just three days to patch.
CybersecurityRansomware Crews Weaponize BlueHammer Vulnerability
BlueHammer was exploited before Microsoft patched Defender. CISA now says ransomware crews used the flaw.
CybersecurityCursor AI IDE Flaws Crack Open OS-Level Code Execution
Cursor’s DuneSlide flaws let malicious prompts escape the IDE sandbox, raising OS-level RCE risk for unpatched developer machines.
Cybersecurity3-Day CISA Deadline Throws cPanel Plugin Flaw into Crisis
CISA gave agencies three days to fix an exploited LiteSpeed cPanel flaw that can turn web shell access into root on shared hosts.
FintechFake Oracle Profits Drain $18M in Ostium Exploit
Ostium lost $18M USDC after future-dated oracle reports created fake profits, deepening DeFi's keeper and price-feed crisis.
FintechStripe PayPal Acquisition Bid Ignites $53.4B Takeover
Stripe and Advent reportedly offered $53.4B for PayPal, testing whether a battered payments giant is cheap enough to absorb.
Global TrendsHouse Vote Shoves Daylight Saving Time Toward Permanence
A 308 to 117 House vote puts permanent daylight saving time back in play, with Trump backing a national break from clock changes.
Technology$30 8BitDo FlipPad Crams a Game Boy Onto Your Phone
$30 FlipPad turns USB-C phones into pocket retro handhelds, trading Bluetooth, batteries, and bulk for quick physical controls.
FintechEthereum Foundation Shakeup Slashes 54 Jobs, and 40% Budget
Ethereum Foundation cut 54 jobs, trimmed 40% of its budget and pushed more responsibility to the wider Ethereum ecosystem.
Don't miss the signal
Get our weekly roundup of the stories that matter across tech, fintech, and trading. No noise, just signal.
Free forever. No spam. Unsubscribe anytime.