CISA Warns of Active Exploitation in SharePoint Server Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) has issued a critical alert regarding the active exploitation of three vulnerabilities impacting on-premises **SharePoint Server** instances. Attackers are leveraging these flaws to bypass authentication, achieve remote code execution, and establish persistence for malware deployment, urging immediate action from IT security professionals.
The **CISA** has sounded the alarm on a series of vulnerabilities actively being exploited in **Microsoft SharePoint Server** deployments. These security flaws, identified as **CVE-2026-32201**, **CVE-2026-45659**, and **CVE-2026-56164**, affect all supported self-hosted **SharePoint Server** versions, including the latest **SharePoint Server Subscription Edition**.
Attackers are exploiting these vulnerabilities to bypass authentication mechanisms, gain remote code execution capabilities, and engage in post-exploitation activities. This includes the theft of **Internet Information Services** (IIS) machine keys and establishing persistence to deploy malicious software on compromised systems.

In addition to the actively exploited vulnerabilities, **CISA** also highlighted two other **SharePoint Server** flaws, **CVE-2026-55040** and **CVE-2026-58644**, which **Microsoft** patched recently. While not yet exploited in the wild, these are considered attractive targets for threat actors.
### The Scope of Exposure
Internet security watchdog group **Shadowserver** currently tracks nearly 10,000 Internet-exposed **Microsoft SharePoint** servers. Disturbingly, over 800 of these remain unpatched against **CVE-2026-32201** and **CVE-2026-45659**. The exact number vulnerable to **CVE-2026-56164** or those acting as honeypots is currently unknown.

*SharePoint Server instances exposed online (**Shadowserver**)*
### Urgent Call to Action
**CISA** has strongly urged security teams to diligently monitor affected servers for any indicators of compromise. Key recommendations include:
* Applying **Microsoft's** latest security patches immediately.
* Verifying the successful installation of all updates.
* Shortening patching cycles to minimize exposure windows.
* Enabling **Windows Antimalware Scan Interface** (AMSI) integration for **SharePoint** web applications.
* Leveraging **Microsoft Defender Antivirus** (**MDAV**) detections for early compromise detection and remediation.
### Hardening Your SharePoint Environment
Beyond patching, **CISA** advises several hardening measures:
* Actively hunting for and remediating intrusion artifacts before rotating IIS machine keys.
* Establishing tailored logging to monitor for anomalous activity.
* Avoiding direct internet exposure of **SharePoint** servers unless absolutely necessary.
* Reviewing **Microsoft's** official **SharePoint Server** security-hardening guidance.
* Blocking external access to **SharePoint Central Administration**.
* Restricting farm and database communication to only required systems.
* For necessary external exposure, placing servers behind a Layer 7 reverse proxy or similar application-layer security control.
### Federal Mandate and Historical Context
**CISA** added **CVE-2026-32201** to its Known Exploited Vulnerabilities Catalog on April 14, followed by **CVE-2026-45659** on July 1, and **CVE-2026-56164** on July 14.
Federal agencies are under a strict mandate, **Binding Operational Directive (BOD) 26-04**, requiring them to secure **SharePoint** servers affected by **CVE-2026-56164** by July 17 or decommission them if mitigations cannot be applied.
Since November 2021, **CISA** has identified a total of 11 **Microsoft SharePoint** vulnerabilities exploited in attacks, with 7 of these also leveraged in ransomware campaigns. This highlights the persistent and critical threat landscape surrounding **SharePoint** deployments.