On Tuesday, CISA urged organizations to harden on-premises Microsoft SharePoint Server systems after confirming active exploitation of three SharePoint Server flaws, including flaws that were targeted before fixes were available.

Exploited SharePoint Vulnerabilities Trigger 3-Day Race
XOOMAR Intelligence
Analyst Take
The warning follows Microsoft’s July 2026 Patch Tuesday updates and puts federal agencies on a fast clock for at least one newly cataloged bug, according to SecurityWeek. The newest exploited flaw, CVE-2026-56164, is a privilege escalation issue that can be exploited remotely without authentication.
July 14: CISA adds CVE-2026-56164 to the KEV catalog
CISA added CVE-2026-56164 to its Known Exploited Vulnerabilities catalog on Tuesday and urged federal agencies to patch it within three days, in line with BOD 26-04 recommendations.
That deadline applies specifically to CVE-2026-56164. Other SharePoint flaws were added to the KEV catalog earlier: CVE-2026-32201 on April 14, 2026, and CVE-2026-45659 on July 1, 2026, according to CISA’s July 14 alert.
“These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware,” CISA warned.
CISA said attackers are actively exploiting CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 to gain unauthorized access to on-premises SharePoint Server instances.
The agency also flagged two newly disclosed SharePoint bugs, CVE-2026-55040 and CVE-2026-58644. Those are not currently listed by CISA as exploited, but Microsoft identified them as risks if left unpatched.
| CVE | CISA status | Source-described impact |
|---|---|---|
| CVE-2026-56164 | Actively exploited, added to KEV on July 14, 2026 | Privilege escalation, remotely exploitable without authentication |
| CVE-2026-32201 | Actively exploited, added to KEV on April 14, 2026 | Spoofing issue, patched in April after zero-day exploitation |
| CVE-2026-45659 | Actively exploited, added to KEV on July 1, 2026 | Code execution issue, patched in May via out-of-band update |
| CVE-2026-55040 | Not flagged as exploited | Critical-severity bug that can bypass a security feature |
| CVE-2026-58644 | Not flagged as exploited | Critical-severity bug that can execute arbitrary code |
April to July: SharePoint zero-days turn into a hardening emergency
The SharePoint vulnerabilities now sit across several patch cycles. CVE-2026-32201 was patched in April after being exploited as a zero-day. CVE-2026-45659 was patched in May through an out-of-band security update. CVE-2026-56164 was resolved in Microsoft’s July 2026 Patch Tuesday release.
That sequencing matters. CISA is not only telling administrators to install the latest patches. It is telling them to assume some servers may already have been touched.
The risk CISA describes is not theoretical access followed by vague damage. The agency points to remote code execution, theft of IIS machine keys, deserialization activity used for persistence, and malware deployment. Those are post-compromise signals, not simple scanning noise.
For defenders, the sharp edge is exposure. CISA specifically recommends that organizations avoid putting SharePoint Servers directly on the internet unless necessary. If internet exposure is required, CISA says servers should sit behind a Layer 7 reverse proxy or similar application-layer control that requires authentication and can inspect and filter requests.
That advice narrows the immediate priority list:
- Patch status: Apply Microsoft’s latest SharePoint security updates and verify installation completed successfully.
- Exposure: Identify on-premises SharePoint servers reachable from the internet.
- Access control: Block external access to SharePoint Central Administration.
- Persistence checks: Hunt for intrusion artifacts before rotating IIS machine keys.
- Logging: Review telemetry for anomalous requests, suspicious SharePoint worker-process activity, webshells, and machine-key access.
For readers tracking adjacent intrusion tradecraft, XOOMAR has covered separate security stories including Ghost Accounts Forge Attack Maps With GitHub API Abuse and GhostExodus Forces Cybersecurity to Trust a Rule-Breaker. Those reports are not attributed to this SharePoint activity, but they sit in the same practical bucket for defenders: know what your systems expose, and verify what happened after access was gained.
Security teams now have two jobs: patch and prove nothing landed
CISA’s guidance pushes organizations beyond routine patch management. The agency recommends monitoring affected SharePoint servers for unusual activity and implementing incident response plans when detections fire.
The alert names specific Microsoft protections and detections, including AMSI coverage for SharePoint web applications and Microsoft Defender Antivirus detection Backdoor:MSIL/LeakFang.A!dha, tied to post-exploitation activity involving IIS-protected secrets.
Administrators should not rotate IIS machine keys blindly. CISA says organizations should first hunt for and remediate intrusion artifacts, including machine-key harvesters, so newly rotated keys are not stolen again.
That is the practical lesson in this alert. Patching closes known doors. It does not erase evidence of attackers who may have entered before the fix landed.
Private-sector organizations are not bound by the federal KEV deadlines in the same way agencies are, but CISA’s timeline is a clear severity signal. A three-day remediation window for CVE-2026-56164 leaves little room for slow maintenance cycles.
The next decision point is whether exploitation expands around the two newly disclosed bugs that CISA says are not yet known to be exploited: CVE-2026-55040 and CVE-2026-58644. If either moves into the KEV catalog, administrators who treated July’s SharePoint updates as optional will be behind again.
CISA says it may update the alert as new guidance emerges. Until then, the priority is narrow and urgent: patch on-premises SharePoint Server, reduce direct internet exposure, hunt for compromise, and treat clean installation logs as only the start of the response.
Impact Analysis
- CISA says attackers are already exploiting SharePoint flaws to gain unauthorized access.
- Federal agencies face a three-day patch deadline for CVE-2026-56164.
- Organizations running on-premises SharePoint Server 2016, 2019, or Subscription Edition may be exposed.
SharePoint vulnerabilities cited by CISA
| Vulnerability | CISA KEV status | Exploitation status | Key detail |
|---|---|---|---|
| CVE-2026-56164 | Added July 14, 2026 | Actively exploited | Remote privilege escalation; federal agencies urged to patch within three days |
| CVE-2026-32201 | Added April 14, 2026 | Actively exploited | Affects supported on-premises SharePoint Server versions |
| CVE-2026-45659 | Added July 1, 2026 | Actively exploited | Linked to unauthorized access against on-premises SharePoint Server instances |
| CVE-2026-55040 | Not currently listed as exploited by CISA | No active exploitation reported by CISA | Newly disclosed SharePoint bug |
| CVE-2026-58644 | Not currently listed as exploited by CISA | No active exploitation reported by CISA | Newly disclosed SharePoint bug |
Sources
Written by
XOOMAR Insights Team
Research and Editorial Desk
The XOOMAR Insights Team pairs automated research with human editorial judgment. We track hundreds of sources across technology, fintech, trading, SaaS, and cybersecurity, cross-check the facts, and explain what happened, why it matters, and what to watch next. We do not just rewrite headlines. Every article is fact-checked and scored for reliability before it goes live, and we link back to the original sources so you can verify anything yourself.
Explore More Topics
Related Articles
CybersecurityHackers Exploit SharePoint Server Flaws, CISA Warns
CISA says three SharePoint flaws are under attack, with two critical bugs waiting to widen the blast radius for unpatched servers.
CybersecurityCISA Orders 3-Day Patch for SharePoint Vulnerability
CISA says attackers are exploiting a SharePoint RCE flaw, giving federal agencies just three days to patch.
CybersecurityRansomware Crews Weaponize BlueHammer Vulnerability
BlueHammer was exploited before Microsoft patched Defender. CISA now says ransomware crews used the flaw.
Cybersecurity3-Day CISA Deadline Throws cPanel Plugin Flaw into Crisis
CISA gave agencies three days to fix an exploited LiteSpeed cPanel flaw that can turn web shell access into root on shared hosts.
CybersecurityWindows 11 Secure Boot Update Hits a Firmware Wall
Microsoft paused the Windows 11 Secure Boot update on some PCs after certificate refresh failures exposed firmware support gaps.
TechnologyFile Deletion Claims Drag OpenAI GPT-5.6 Sol Into Crisis
Users claim GPT-5.6 Sol wiped files and a production database, turning OpenAI's agent ambitions into a trust crisis.
Global TrendsHouse Vote Shoves Daylight Saving Time Toward Permanence
A 308 to 117 House vote puts permanent daylight saving time back in play, with Trump backing a national break from clock changes.
Technology$30 8BitDo FlipPad Crams a Game Boy Onto Your Phone
$30 FlipPad turns USB-C phones into pocket retro handhelds, trading Bluetooth, batteries, and bulk for quick physical controls.
FintechEthereum Foundation Shakeup Slashes 54 Jobs, and 40% Budget
Ethereum Foundation cut 54 jobs, trimmed 40% of its budget and pushed more responsibility to the wider Ethereum ecosystem.
Fintech$53B Stripe PayPal Acquisition Bid Triggers Price Fight
$53B Stripe PayPal bid could hinge on price, control and whether PayPal's board sees $60.50 a share as rescue or lowball.
Don't miss the signal
Get our weekly roundup of the stories that matter across tech, fintech, and trading. No noise, just signal.
Free forever. No spam. Unsubscribe anytime.