What's Happening?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of three vulnerabilities in on-premises SharePoint Server instances. These vulnerabilities, identified as CVE-2026-32201, CVE-2026-45659,
and CVE-2026-56164, allow attackers to bypass authentication, execute remote code, and perform post-exploitation activities such as stealing Internet Information Services machine keys and deploying malware. CISA has also highlighted two additional vulnerabilities, CVE-2026-55040 and CVE-2026-58644, which have been patched by Microsoft but are not yet known to be exploited. The agency advises security teams to apply the latest patches, monitor for signs of exploitation, and implement additional security measures to protect SharePoint servers.
Why It's Important?
The exploitation of these vulnerabilities poses a significant threat to organizations using SharePoint Server, as it can lead to unauthorized access and potential data breaches. With nearly 10,000 Internet-exposed SharePoint servers tracked by Shadowserver, over 800 remain unpatched against known vulnerabilities, increasing the risk of cyber attacks. The urgency of CISA's advisory underscores the critical need for organizations to prioritize cybersecurity measures, particularly in securing their SharePoint environments. Failure to address these vulnerabilities could result in severe consequences, including data theft, operational disruptions, and financial losses.
What's Next?
Federal agencies are required to secure affected SharePoint servers by July 17 under Binding Operational Directive 26-04. Organizations are encouraged to follow CISA's recommendations, including shortening patching cycles, enabling Windows Antimalware Scan Interface, and using Microsoft Defender Antivirus detections. Additionally, CISA suggests blocking external access to SharePoint Central Administration and placing servers behind a Layer 7 reverse proxy to enhance security. As cyber threats continue to evolve, ongoing vigilance and proactive security measures will be essential in mitigating risks associated with these vulnerabilities.













