The campaign targets organizations operating on-premises versions of SharePoint Server, including SharePoint Enterprise Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition.
Nearly 10,000 SharePoint servers exposed onlineThe Shadowserver Foundation was tracking close to 10,000 publicly reachable Microsoft SharePoint servers around the time of CISA’s warning.
Endpoint detection and response monitoring should also cover SharePoint servers, IIS processes and administrative activity across the farm.
Under Binding Operational Directive 26-04, U.S. Federal Civilian Executive Branch agencies were ordered to remediate the SharePoint vulnerability by July 17.
SharePoint remains a recurring enterprise targetCISA has added 11 Microsoft SharePoint vulnerabilities to its exploited-vulnerability catalog since November 2021.
The U.S. Cybersecurity and Infrastructure Security Agency has issued an urgent warning over continuing attacks against internet-exposed Microsoft SharePoint servers, saying threat actors are chaining vulnerabilities to bypass authentication, execute code and maintain persistent access to compromised networks.
The campaign targets organizations operating on-premises versions of SharePoint Server, including SharePoint Enterprise Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. Microsoft 365’s cloud-hosted SharePoint Online service is not identified as affected.
According to CISA’s Advisory, attackers are exploiting vulnerabilities tracked as CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164. The agency warned that successful exploitation can allow attackers to circumvent authentication, gain remote code execution and conduct extensive post-exploitation activity.
Observed actions include stealing Internet Information Services machine keys, establishing persistent access and deploying additional malicious payloads. Because stolen machine keys may remain useful after software updates are installed, CISA stressed that organizations must investigate affected servers for evidence of compromise rather than treating patching alone as a complete response.
The warning follows Microsoft’s July security release, which also addressed two additional high-risk SharePoint vulnerabilities—CVE-2026-55040 and CVE-2026-58644. Neither was known to be exploited when CISA published its alert, but both could provide attackers with powerful new paths into vulnerable SharePoint environments.
Three SharePoint vulnerabilities under active attack
The first exploited vulnerability, CVE-2026-32201, is an improper input-validation flaw that enables an unauthenticated attacker to conduct a network-based spoofing attack.
Microsoft assigned the vulnerability a CVSS score of 6.5. Although its severity rating is lower than those normally associated with remote code execution, the vulnerability requires no existing privileges or user interaction and has low attack complexity. These characteristics make it potentially valuable as part of a broader exploit chain.
CISA added CVE-2026-32201 to its Known Exploited Vulnerabilities catalog on April 14, confirming that attackers were already using it in real-world intrusions. Federal civilian agencies were originally instructed to address the vulnerability by April 28. The National Vulnerability Database describes it as a SharePoint improper-input-validation weakness that allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-45659, the second exploited flaw, is a high-severity deserialization vulnerability that can allow a SharePoint user to execute code remotely on an affected server. Microsoft gave it a CVSS score of 8.8.
Exploitation requires an authenticated account with at least Site Member permissions, but it does not require administrator access or interaction from another user. This significantly increases the danger posed by stolen credentials obtained through phishing, password reuse, information-stealing malware or other identity-based attacks.
Deserialization vulnerabilities occur when an application reconstructs data supplied by an untrusted source without applying adequate validation. A carefully constructed object can sometimes manipulate the deserialization process and cause the application to execute attacker-controlled code.
CISA added CVE-2026-45659 to its exploited-vulnerability catalog on July 1. Microsoft had previously addressed the vulnerability in its May 2026 security updates, meaning attackers were targeting organizations that had not yet installed an available patch.
CVE-2026-56164 is the latest SharePoint weakness to join the campaign. Microsoft disclosed and patched the vulnerability as a zero-day on July 14 after detecting exploitation in attacks.
The vulnerability results from missing authentication around a critical SharePoint function. It allows an unauthenticated attacker to elevate privileges remotely without requiring user interaction. Microsoft rated the issue Moderate, with a CVSS score of 5.3, because the vulnerability’s direct confidentiality and availability effects are limited.
However, its active exploitation shows why CVSS ratings should not be used as the sole basis for patching decisions. Even a moderate-rated vulnerability can become critical in practice if it removes an authentication boundary or provides a missing stage in a multi-vulnerability attack chain. The official CVE record confirms that CVE-2026-56164 can be exploited over a network without credentials.
Attackers can move beyond initial SharePoint access
SharePoint servers are particularly attractive targets because they often contain sensitive corporate documents, internal communications, authentication material and information about an organization’s employees, projects and customers.
On-premises deployments may also be closely connected to Active Directory, SQL Server, file storage, backup systems and other critical infrastructure. Compromising SharePoint can therefore provide an attacker with considerably more than access to a single web application.
Once code execution is achieved, an intruder may be able to install web shells, harvest credentials, collect configuration files, steal documents and use the server as a staging point for movement into the wider Windows environment.
CISA said attackers have also stolen IIS machine keys from compromised servers. These cryptographic keys are used by ASP.NET applications to protect authentication data, session information and other security-sensitive values.
Possession of the correct machine keys may allow an attacker to create authentication material that a SharePoint server accepts as legitimate. This can preserve access even after an organization installs security updates or removes the attacker’s original web shell.
That persistence risk changes the required incident-response process. Administrators should not rotate keys before collecting relevant forensic evidence and removing malicious artifacts, because an attacker who remains on the server may simply steal the replacement keys.
Instead, organizations should identify and isolate potentially compromised systems, preserve evidence, hunt for malicious files and processes, remove attacker persistence, patch every SharePoint server in the farm and then rotate the relevant cryptographic keys. IIS should be restarted after the rotation so that the new keys take effect.
If investigators cannot establish that an exposed, vulnerable server remained uncompromised, rebuilding it from a trusted source may be safer than relying exclusively on in-place remediation.
Two newly patched flaws create further risk
Microsoft’s July 2026 security updates also addressed CVE-2026-55040, a critical SharePoint authentication-bypass vulnerability discovered by Rapid7.
The flaw involves weak validation of JSON Web Tokens. According to Rapid7’s disclosure, an unauthenticated attacker can exploit the weakness to impersonate a SharePoint user.
Microsoft assigned CVE-2026-55040 a CVSS score of 9.1 and assessed exploitation as more likely. The vulnerability can allow unauthorized access to data and modification of content, although it does not directly provide code execution by itself.
Its importance is amplified by Rapid7’s finding that it can be chained with a separate vulnerability to achieve unauthenticated remote code execution. Rapid7 reported the complete chain to Microsoft after developing it during a zero-day research project against SharePoint.
At the time of the July release, Microsoft had corrected the authentication-bypass component, while the second vulnerability in Rapid7’s chain remained under coordinated disclosure and was expected to receive a separate fix. Installing the July update therefore removes the entry point required for that demonstrated attack chain, even if the remaining component has not yet been publicly detailed.
The second newly addressed issue, CVE-2026-58644, is a critical deserialization vulnerability carrying a CVSS score of 9.8. Microsoft’s published CVE description states that an unauthorized attacker can exploit the flaw over a network to execute code.
The vulnerability has low attack complexity, requires no user interaction and can result in complete loss of confidentiality, integrity and availability. Although CISA had not confirmed active exploitation when it released its warning, those characteristics make the flaw a particularly attractive target for exploit development.
CISA advised organizations to treat both newly patched vulnerabilities as potentially significant attack paths rather than waiting for evidence of exploitation to emerge.
Nearly 10,000 SharePoint servers exposed online
The Shadowserver Foundation was tracking close to 10,000 publicly reachable Microsoft SharePoint servers around the time of CISA’s warning.
More than 800 appeared to remain unpatched against CVE-2026-32201 or CVE-2026-45659. The true vulnerable population could be different because internet scanning cannot always determine a server’s precise configuration or patch state, and some detected systems may be honeypots.
Shadowserver’s checks also did not establish how many systems remained vulnerable to CVE-2026-56164. Nevertheless, the figures illustrate the potential attack surface available to threat actors searching the internet for exposed collaboration servers.
SharePoint farms can be difficult to update because they frequently support business-critical workflows and integrations. Updates may require careful sequencing, testing, installation across multiple servers and the completion of SharePoint configuration steps after the software packages are applied.
That operational complexity can produce long delays between Microsoft releasing a patch and an organization completing deployment across its environment. Attackers increasingly exploit this interval, scanning for systems that remain vulnerable after technical details or reliable detection methods become available.
Administrators must also confirm that updates were installed successfully across every server in a farm. Seeing an update on one server, or seeing that its installer completed, does not prove that the entire SharePoint environment has been fully remediated.
CISA calls for patching, monitoring and exposure reduction
CISA urged organizations to install Microsoft’s latest SharePoint security updates immediately and verify that all relevant patches and configuration actions have completed successfully.
Security teams should then examine the affected environment for indicators of exploitation. Relevant evidence may include recently created or modified files in SharePoint and IIS directories, unexpected web shells, unusual child processes launched by IIS worker processes, suspicious PowerShell activity, unfamiliar scheduled tasks and services, outbound connections to unknown infrastructure and anomalous authentication events.
Organizations should enable the Antimalware Scan Interface integration for SharePoint web applications and use Microsoft Defender Antivirus—or an equivalent security product—to scan content and identify malicious activity. Endpoint detection and response monitoring should also cover SharePoint servers, IIS processes and administrative activity across the farm.
AMSI integration allows supported antimalware tools to inspect certain content before SharePoint processes it, providing another opportunity to detect malicious payloads. It is a defence-in-depth control and should not be treated as a replacement for security updates.
Logging should be tailored to the organization’s environment and retained for long enough to support an investigation that may reach back before the public disclosure date. Centralizing SharePoint, IIS, Windows, PowerShell, endpoint-security and identity logs can help analysts reconstruct an attacker’s activity across multiple systems.
CISA also recommends avoiding direct internet exposure of on-premises SharePoint servers unless there is a clear business requirement. Where external access is unavoidable, organizations should place the service behind a properly configured Layer 7 reverse proxy, web application firewall or comparable application-layer security control.
External access to SharePoint Central Administration should be blocked, while communication between farm members and database servers should be limited to explicitly authorized systems and required ports. Administrative interfaces should be reachable only through controlled management networks or secure remote-access services.
These controls will not eliminate the need for patching, but they can reduce the number of systems directly reachable by opportunistic attackers and make exploitation more difficult.
Additional protective measures include proactively searching for and removing any signs of compromise before rotating IIS machine keys. Administrators should also implement tailored logging and monitoring to detect suspicious activity, restrict direct internet access to SharePoint servers unless it is operationally essential, and follow Microsoft’s official security-hardening recommendations for SharePoint Server deployments.
Federal agencies face a July 17 deadline
CISA added CVE-2026-56164 to its Known Exploited Vulnerabilities catalog on July 14 alongside three other vulnerabilities affecting separate products.
Under Binding Operational Directive 26-04, U.S. Federal Civilian Executive Branch agencies were ordered to remediate the SharePoint vulnerability by July 17. Agencies unable to apply the required mitigation must discontinue use of the affected product until the risk can be addressed.
The unusually short deadline reflects evidence of active exploitation and the risk associated with externally accessible enterprise infrastructure. CISA had previously added CVE-2026-32201 on April 14 and CVE-2026-45659 on July 1.
Although CISA’s binding deadlines apply directly to federal civilian agencies, private organizations frequently use the KEV catalog to prioritize security work. Inclusion means exploitation has been supported by reliable evidence; it is not merely a prediction that attackers may eventually target the flaw.
SharePoint remains a recurring enterprise target
CISA has added 11 Microsoft SharePoint vulnerabilities to its exploited-vulnerability catalog since November 2021. Seven have also been associated with ransomware activity, highlighting the platform’s value to both espionage groups and financially motivated attackers.
The new warning also follows the widespread exploitation of SharePoint vulnerabilities in 2025, when multiple threat groups compromised internet-facing servers, stole cryptographic keys, deployed web shells and, in some incidents, delivered ransomware.
That history demonstrates that SharePoint incidents frequently extend beyond the initial vulnerability. Attackers may use one flaw to cross an authentication boundary, another to run code and post-exploitation tools to preserve access after defenders begin remediation.
For organizations running SharePoint Server on-premises, the immediate priority is therefore broader than installing July’s updates. They must determine which servers were internet-facing, establish whether those systems were exposed while vulnerable, inspect them for compromise and rotate security-sensitive keys only after malicious access has been removed.
Organizations that cannot rapidly patch, investigate and securely operate an externally accessible SharePoint deployment should remove it from direct internet exposure until those controls are in place.