Security/ security · sharepoint · vulnerability · cisa

CISA Flags Active SharePoint Exploits, Urges Patching

Three SharePoint Server vulnerabilities are being actively exploited for remote code execution and credential theft, with two more flagged as high-risk.

Attackers are actively breaking into on-premises SharePoint servers, and CISA wants admins to stop what they're doing and patch now.

Three vulnerabilities — CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 — are under active exploitation across SharePoint Server 2016, 2019, and Subscription Edition. Attackers are using them to achieve remote code execution, then pivoting to steal IIS machine keys and run deserialization attacks to establish persistence and drop malware. CISA added all three to its Known Exploited Vulnerabilities catalog, the last one as recently as today. Two additional CVEs (CVE-2026-55040 and CVE-2026-58644) aren't known to be exploited yet, but Microsoft has flagged them as ripe targets.

On-premises SharePoint has a long history of being a soft target — it's widely deployed in government and enterprise, often internet-facing, and patch cycles tend to lag. The IIS machine key theft angle is particularly nasty: once attackers have those keys, they can forge encrypted tokens and maintain access even after surface-level remediation, meaning rotating keys without first hunting for existing implants just resets the lock while the burglar is still inside.

CISA's hardening checklist runs long — enable AMSI in Full Mode, restrict Central Administration exposure, put the server behind an authenticated Layer 7 proxy, review telemetry for webshells — which is another way of saying many organizations aren't doing the basics. If your SharePoint is directly internet-facing with no proxy in front of it, that's the finding.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →