Attackers are actively exploiting three vulnerabilities in on-premises Microsoft SharePoint Server, and CISA wants every organization running the software to treat this as urgent. On July 14, 2026, CISA published an alert confirming exploitation of CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, all of which grant unauthorized access to SharePoint Server instances still running on-prem.
If your organization uses SharePoint Server Subscription Edition, 2019, or 2016, this alert applies to you.
What’s Being Exploited
All three vulnerabilities affect the same on-premises SharePoint versions and can be chained to devastating effect. According to CISA and Microsoft, threat actors are using them to establish remote code execution and then move into post-exploitation activity, including stealing Internet Information Services (IIS) machine keys and using deserialization techniques to gain persistence and deploy malware.
Stolen IIS machine keys are particularly dangerous. Once an attacker has them, they can forge authentication tokens and maintain access even after a server is patched, unless those keys are rotated.
Here’s the exploitation timeline, based on when each CVE landed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog:
- CVE-2026-32201 – added April 14, 2026
- CVE-2026-45659 – a deserialization vulnerability (CVSS 8.8) that Microsoft patched in May and initially assessed as “exploitation less likely.” It was added to the KEV Catalog on July 1 after CISA confirmed active exploitation. Microsoft notes an authenticated attacker needs only Site Member permissions to trigger it.
- CVE-2026-56164 – an elevation of privilege flaw remotely exploitable in low-complexity attacks, added to the KEV Catalog on July 14, the same day the alert went out.
This is an evolving campaign against SharePoint infrastructure, beginning with ToolShell in 2025. Other related vulnerabilities include:
- CVE-2026-32201 zero-day – April 14, 2026
- CVE-2026-45659 patched, initially rated low-risk – May 2026
- CVE-2026-45659 added to KEV, reversing the earlier assessment – July 1
- CVE-2026-56164, same-day disclosure and exploitation – July 14
Two More CVEs to Watch
Microsoft also flagged two newly disclosed vulnerabilities, CVE-2026-55040 and CVE-2026-58644, as posing risk if left unpatched. Neither is known to have been exploited yet, but both were patched in the same July Patch Tuesday release and are considered attractive targets. CVE-2026-58644 carries a CVSS score of 9.8. Security researchers have also pointed to CVE-2026-55040 as part of a chain that, combined with a related flaw, can lead to unauthenticated remote code execution against a vulnerable SharePoint server.
CISA’s Recommended Actions
CISA is urging every organization running on-premises SharePoint to act immediately:
- Apply the latest patches and security updates from Microsoft across every server in the farm, not just the front end. SharePoint updates have to be validated through the SharePoint Products Configuration Wizard (or its PowerShell equivalent) on each server; a Windows Update alone doesn’t guarantee full servicing.
- Verify Antimalware Scan Interface (AMSI) integration in SharePoint and set Request Body Scan mode to Full.
- Hunt for and remediate intrusion artifacts, including signs of IIS machine key theft, before assuming a patch alone resolves compromise.
- Establish tailored logging mechanisms to catch post-exploitation activity.
- Avoid exposing SharePoint Servers directly to the internet, or place them behind a proxy service.
- Block external access to SharePoint Central Administration, and restrict farm and database communications to only the systems that need them.
Federal agencies are bound by Binding Operational Directive (BOD) 26-04, which gives them until July 17 to secure servers affected by CVE-2026-56164 or take them offline. That deadline is a useful benchmark for any organization deciding how fast to move, federal mandate or not.
Why This Matters Beyond the Patch
Shadowserver currently tracks close to 10,000 internet-exposed SharePoint servers, with several hundred still unpatched against known flaws. SharePoint has been a recurring target for a reason: it sits at the center of document sharing, intranet, and line-of-business workflows for most enterprises that run it, which makes a compromised instance a direct line into sensitive business data.
Patching closes the door attackers are currently using. It does not undo access they may have already gained. If your SharePoint farm has been internet-facing at any point since these vulnerabilities were disclosed, treat this as a potential compromise and hunt accordingly.