XOOMAR
Enterprise servers under cyberattack protected by glowing shields and urgent patching visuals.
CybersecurityJuly 15, 2026· 5 min read· By XOOMAR Insights Team

Exploited SharePoint Vulnerabilities Trigger 3-Day Race

Share
Updated on July 15, 2026

On Tuesday, CISA urged organizations to harden on-premises Microsoft SharePoint Server systems after confirming active exploitation of three SharePoint Server flaws, including flaws that were targeted before fixes were available.

XOOMAR Intelligence

Analyst Take

70/ 100
High
4 sources analyzedLow confidenceTrend20Freshness93Source Trust85Factual Grounding94Signal Cluster40

The warning follows Microsoft’s July 2026 Patch Tuesday updates and puts federal agencies on a fast clock for at least one newly cataloged bug, according to SecurityWeek. The newest exploited flaw, CVE-2026-56164, is a privilege escalation issue that can be exploited remotely without authentication.

July 14: CISA adds CVE-2026-56164 to the KEV catalog

CISA added CVE-2026-56164 to its Known Exploited Vulnerabilities catalog on Tuesday and urged federal agencies to patch it within three days, in line with BOD 26-04 recommendations.

That deadline applies specifically to CVE-2026-56164. Other SharePoint flaws were added to the KEV catalog earlier: CVE-2026-32201 on April 14, 2026, and CVE-2026-45659 on July 1, 2026, according to CISA’s July 14 alert.

“These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware,” CISA warned.

CISA said attackers are actively exploiting CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 to gain unauthorized access to on-premises SharePoint Server instances.

The agency also flagged two newly disclosed SharePoint bugs, CVE-2026-55040 and CVE-2026-58644. Those are not currently listed by CISA as exploited, but Microsoft identified them as risks if left unpatched.

CVE CISA status Source-described impact
CVE-2026-56164 Actively exploited, added to KEV on July 14, 2026 Privilege escalation, remotely exploitable without authentication
CVE-2026-32201 Actively exploited, added to KEV on April 14, 2026 Spoofing issue, patched in April after zero-day exploitation
CVE-2026-45659 Actively exploited, added to KEV on July 1, 2026 Code execution issue, patched in May via out-of-band update
CVE-2026-55040 Not flagged as exploited Critical-severity bug that can bypass a security feature
CVE-2026-58644 Not flagged as exploited Critical-severity bug that can execute arbitrary code

April to July: SharePoint zero-days turn into a hardening emergency

The SharePoint vulnerabilities now sit across several patch cycles. CVE-2026-32201 was patched in April after being exploited as a zero-day. CVE-2026-45659 was patched in May through an out-of-band security update. CVE-2026-56164 was resolved in Microsoft’s July 2026 Patch Tuesday release.

That sequencing matters. CISA is not only telling administrators to install the latest patches. It is telling them to assume some servers may already have been touched.

The risk CISA describes is not theoretical access followed by vague damage. The agency points to remote code execution, theft of IIS machine keys, deserialization activity used for persistence, and malware deployment. Those are post-compromise signals, not simple scanning noise.

For defenders, the sharp edge is exposure. CISA specifically recommends that organizations avoid putting SharePoint Servers directly on the internet unless necessary. If internet exposure is required, CISA says servers should sit behind a Layer 7 reverse proxy or similar application-layer control that requires authentication and can inspect and filter requests.

That advice narrows the immediate priority list:

  • Patch status: Apply Microsoft’s latest SharePoint security updates and verify installation completed successfully.
  • Exposure: Identify on-premises SharePoint servers reachable from the internet.
  • Access control: Block external access to SharePoint Central Administration.
  • Persistence checks: Hunt for intrusion artifacts before rotating IIS machine keys.
  • Logging: Review telemetry for anomalous requests, suspicious SharePoint worker-process activity, webshells, and machine-key access.

For readers tracking adjacent intrusion tradecraft, XOOMAR has covered separate security stories including Ghost Accounts Forge Attack Maps With GitHub API Abuse and GhostExodus Forces Cybersecurity to Trust a Rule-Breaker. Those reports are not attributed to this SharePoint activity, but they sit in the same practical bucket for defenders: know what your systems expose, and verify what happened after access was gained.

Security teams now have two jobs: patch and prove nothing landed

CISA’s guidance pushes organizations beyond routine patch management. The agency recommends monitoring affected SharePoint servers for unusual activity and implementing incident response plans when detections fire.

The alert names specific Microsoft protections and detections, including AMSI coverage for SharePoint web applications and Microsoft Defender Antivirus detection Backdoor:MSIL/LeakFang.A!dha, tied to post-exploitation activity involving IIS-protected secrets.

Administrators should not rotate IIS machine keys blindly. CISA says organizations should first hunt for and remediate intrusion artifacts, including machine-key harvesters, so newly rotated keys are not stolen again.

That is the practical lesson in this alert. Patching closes known doors. It does not erase evidence of attackers who may have entered before the fix landed.

Private-sector organizations are not bound by the federal KEV deadlines in the same way agencies are, but CISA’s timeline is a clear severity signal. A three-day remediation window for CVE-2026-56164 leaves little room for slow maintenance cycles.

The next decision point is whether exploitation expands around the two newly disclosed bugs that CISA says are not yet known to be exploited: CVE-2026-55040 and CVE-2026-58644. If either moves into the KEV catalog, administrators who treated July’s SharePoint updates as optional will be behind again.

CISA says it may update the alert as new guidance emerges. Until then, the priority is narrow and urgent: patch on-premises SharePoint Server, reduce direct internet exposure, hunt for compromise, and treat clean installation logs as only the start of the response.

Impact Analysis

  • CISA says attackers are already exploiting SharePoint flaws to gain unauthorized access.
  • Federal agencies face a three-day patch deadline for CVE-2026-56164.
  • Organizations running on-premises SharePoint Server 2016, 2019, or Subscription Edition may be exposed.

SharePoint vulnerabilities cited by CISA

VulnerabilityCISA KEV statusExploitation statusKey detail
CVE-2026-56164Added July 14, 2026Actively exploitedRemote privilege escalation; federal agencies urged to patch within three days
CVE-2026-32201Added April 14, 2026Actively exploitedAffects supported on-premises SharePoint Server versions
CVE-2026-45659Added July 1, 2026Actively exploitedLinked to unauthorized access against on-premises SharePoint Server instances
CVE-2026-55040Not currently listed as exploited by CISANo active exploitation reported by CISANewly disclosed SharePoint bug
CVE-2026-58644Not currently listed as exploited by CISANo active exploitation reported by CISANewly disclosed SharePoint bug
XOOMAR

Written by

XOOMAR Insights Team

Research and Editorial Desk

The XOOMAR Insights Team pairs automated research with human editorial judgment. We track hundreds of sources across technology, fintech, trading, SaaS, and cybersecurity, cross-check the facts, and explain what happened, why it matters, and what to watch next. We do not just rewrite headlines. Every article is fact-checked and scored for reliability before it goes live, and we link back to the original sources so you can verify anything yourself.

Related Articles

Dark server room under cyberattack with glowing shields, locks, and code matrix symbolizing data protection.Cybersecurity

Hackers Exploit SharePoint Server Flaws, CISA Warns

CISA says three SharePoint flaws are under attack, with two critical bugs waiting to widen the blast radius for unpatched servers.

Jul 15, 20267 min
Cyberattack on a corporate document server with shields, locks, and glowing data streams.Cybersecurity

CISA Orders 3-Day Patch for SharePoint Vulnerability

CISA says attackers are exploiting a SharePoint RCE flaw, giving federal agencies just three days to patch.

Jul 5, 20265 min
Cracked blue cyber shield over servers symbolizing a ransomware exploit against security defenses.Cybersecurity

Ransomware Crews Weaponize BlueHammer Vulnerability

BlueHammer was exploited before Microsoft patched Defender. CISA now says ransomware crews used the flaw.

Jun 30, 20266 min
Dark server rack under cyberattack with shields, locks, and data streams symbolizing a cPanel flaw.Cybersecurity

3-Day CISA Deadline Throws cPanel Plugin Flaw into Crisis

CISA gave agencies three days to fix an exploited LiteSpeed cPanel flaw that can turn web shell access into root on shared hosts.

Jun 21, 20268 min
Cybersecurity hero showing a blocked Secure Boot update with shield, lock, firmware core, and data streams.Cybersecurity

Windows 11 Secure Boot Update Hits a Firmware Wall

Microsoft paused the Windows 11 Secure Boot update on some PCs after certificate refresh failures exposed firmware support gaps.

Jul 14, 20267 min
Engineer watches files vanish beside a flickering database under an ominous AI network.Technology

File Deletion Claims Drag OpenAI GPT-5.6 Sol Into Crisis

Users claim GPT-5.6 Sol wiped files and a production database, turning OpenAI's agent ambitions into a trust crisis.

Jul 14, 20268 min
Sunrise over US Capitol with blank clocks and global map connections symbolizing permanent daylight saving time.Global Trends

House Vote Shoves Daylight Saving Time Toward Permanence

A 308 to 117 House vote puts permanent daylight saving time back in play, with Trump backing a national break from clock changes.

Jul 15, 20267 min
Pocket-size phone game controller creating a retro handheld on a sleek futuristic tech deskTechnology

$30 8BitDo FlipPad Crams a Game Boy Onto Your Phone

$30 FlipPad turns USB-C phones into pocket retro handhelds, trading Bluetooth, batteries, and bulk for quick physical controls.

Jul 15, 20268 min
Editorial image of a blockchain foundation restructuring toward a wider decentralized ecosystem.Fintech

Ethereum Foundation Shakeup Slashes 54 Jobs, and 40% Budget

Ethereum Foundation cut 54 jobs, trimmed 40% of its budget and pushed more responsibility to the wider Ethereum ecosystem.

Jul 15, 20267 min
Abstract boardroom negotiation between digital payment platforms, symbolizing a major fintech acquisition bid.Fintech

$53B Stripe PayPal Acquisition Bid Triggers Price Fight

$53B Stripe PayPal bid could hinge on price, control and whether PayPal's board sees $60.50 a share as rescue or lowball.

Jul 15, 20266 min

Don't miss the signal

Get our weekly roundup of the stories that matter across tech, fintech, and trading. No noise, just signal.

Free forever. No spam. Unsubscribe anytime.