CISA Flags Three Actively Exploited Microsoft SharePoint Flaws as New Risks Emerge


sharepoint flaw
Image credit: Microsoft

A fresh cybersecurity warning has been published for Microsoft SharePoint administrators. In the advisory first spotted by Bleeping Computer, CISA says attackers are already exploiting multiple SharePoint vulnerabilities in real-world attacks, giving threat actors a direct path to compromise vulnerable on-premises servers before many organizations have a chance to respond.

CISA confirms active Microsoft SharePoint exploitation

The CISA has confirmed that three SharePoint vulnerabilities are now being actively exploited in the wild. The affected flaws, tracked as CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, impact all supported on-premises versions of Microsoft SharePoint Server, including Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016.

According to CISA, attackers can chain the vulnerabilities to achieve remote code execution before moving deeper into compromised environments. Observed post-exploitation activity includes stealing Internet Information Services (IIS) machine keys, abusing deserialization techniques to maintain persistence, and deploying malware after gaining access.

The agency has also highlighted two additional SharePoint vulnerabilities, CVE-2026-55040 and CVE-2026-58644. Although these flaws have not yet been observed in active attacks, Microsoft considers both to present a significant security risk if organizations leave them unpatched.

CISA urges immediate hardening before attacks spread further

Speaking of mitigation, CISA is urging administrators to install Microsoft’s latest security updates immediately and confirm the patches complete successfully. Organizations are also advised to enable Antimalware Scan Interface (AMSI) integration in Full Mode wherever possible, review Microsoft Defender detections, and investigate any alerts that indicate attempted exploitation.

Beyond patching, CISA recommends strengthening SharePoint deployments by hunting for compromise before rotating IIS machine keys, implementing enhanced logging, blocking direct internet exposure, restricting access to SharePoint Central Administration, and placing internet-facing SharePoint servers behind authenticated Layer 7 reverse proxies.

The agency has already added CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 to its Known Exploited Vulnerabilities catalog, reinforcing that these attacks are no longer hypothetical. For organizations running on-premises SharePoint, delaying mitigation could significantly increase the risk of compromise.

More about the topics: Cybersecurity, microsoft, Microsoft Sharepoint, Sharepoint

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages