389/69 Thursday, July 16, 2026

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory last Tuesday after finding that attackers are exploiting three vulnerabilities in internet-exposed Microsoft SharePoint Server instances: CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. These vulnerabilities affect all supported on-premises versions of SharePoint Server, including SharePoint Server Subscription Edition, the latest on-premises version that uses a continuous update model.
CISA stated that attackers are exploiting these vulnerabilities to bypass authentication, execute code, or achieve remote code execution, and to conduct post-compromise activities such as stealing Internet Information Services (IIS) machine keys to maintain access and deploy malware on compromised systems. CISA also mentioned two additional SharePoint Server vulnerabilities, CVE-2026-55040 and CVE-2026-58644, which Microsoft has already patched and which may become targets for attackers, although no exploitation has been reported at this time. According to data from Shadowserver, nearly 10,000 Microsoft SharePoint Server instances are exposed to the internet, and more than 800 remain unpatched against CVE-2026-32201 and CVE-2026-45659.
CISA recommends that administrators check for signs of compromise, install the latest patches from Microsoft, verify that patch installation was successful, enable Windows Antimalware Scan Interface (AMSI) integration for SharePoint web applications, and use Microsoft Defender Antivirus (MDAV) to detect and remediate intrusions. CISA has added all three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog and has ordered U.S. federal agencies to remediate systems affected by CVE-2026-56164 by July 17 under Binding Operational Directive (BOD) 26-04, or discontinue use if mitigation measures cannot be applied.
