CISA Warns of Active Exploitation in SharePoint Server Vulnerabilities
The **Cybersecurity and Infrastructure Security Agency (CISA)** has issued an urgent alert regarding active exploitation of multiple vulnerabilities in on-premises **SharePoint Server** instances. Threat actors are leveraging these flaws to gain unauthorized access, achieve remote code execution (RCE), and establish persistence through post-exploitation techniques. Organizations using **SharePoint Server** 2016, 2019, or Subscription Edition are urged to take immediate action.
# CISA Warns of Active Exploitation in SharePoint Server Vulnerabilities
**CISA** has updated its alert to include **CVE-2026-58644** in its Known Exploited Vulnerabilities (KEV) Catalog, emphasizing the ongoing threat to **SharePoint Server** deployments.
## Critical Vulnerabilities Under Active Attack
Several vulnerabilities are currently being actively exploited, allowing cyber threat actors to compromise on-premises **SharePoint Server** instances. These include:
* **CVE-2026-32201**
* **CVE-2026-45659**
* **CVE-2026-56164**
* **CVE-2026-58644**
These flaws affect all supported on-premises **SharePoint Server** versions (**Subscription Edition**, **2019**, and **2016**). Attackers are using them to achieve remote code execution (RCE) and conduct post-exploitation activities, such as stealing **Internet Information Services (IIS)** machine keys and employing deserialization techniques to gain persistence and deploy malware.
## Unpatched Risk: CVE-2026-55040
In addition to the actively exploited vulnerabilities, **Microsoft** has identified **CVE-2026-55040** as posing a significant risk if left unpatched, although it is not yet known to be exploited in the wild.
## Immediate Actions for Detection and Remediation
**CISA** strongly recommends that organizations implement the following to detect and remediate potential compromises:
* **Apply Patches Promptly**: Install the latest security updates from **Microsoft** and verify successful installation. Shorten patching cycles where feasible.
* **Enable AMSI Integration**: Ensure **Antimalware Scan Interface (AMSI)** integration is enabled for each **SharePoint** web application. Follow **Microsoft's** guidance to configure it properly, opting for "Full Mode" for Request Body Scan Mode where possible.
### Key AMSI and MDAV Detections:
Organizations should monitor for the following specific detections:
* **AMSI**: `Exploit:Script/SuspSignoutReqBody.A` β for request body scanning (SharePoint Server Subscription only).
* **AMSI**: `Exploit:Script/ToolPaneAuthBypass.A` β for request header scanning (SharePoint Server 2016, 2019, and Subscription Edition).
* **AMSI**: `Exploit:Script/ToolPaneAuthBypass.C` β for RCE coverage (SharePoint Server 2016, 2019, and Subscription Edition).
* **MDAV**: `Backdoor:MSIL/LeakFang.A!dha` β an alert for post-exploitation activity involving **IIS**-protected secrets.
## Recommended SharePoint Server Hardening Measures
Beyond patching and detection, **CISA** advises implementing these hardening measures:
* **Rotate IIS Machine Keys Securely**: Before rotation, hunt for and remediate any intrusion artifacts, including machine-key harvesters, to prevent re-theft. Refer to **Microsoft's** guidance on improved **ASP.NET** view state security and key management.
* **Establish Tailored Logging**: Implement specific logging mechanisms to detect and monitor exploitation. Review telemetry for anomalous requests, suspicious **SharePoint** worker-process activity, webshells, and machine-key access. **CISA's** "Best Practices for Event Logging and Threat Detection" provides further details.
* **Limit Internet Exposure**: Avoid direct exposure of **SharePoint Servers** to the internet unless absolutely necessary. If required, configure them behind a Layer 7 reverse proxy or equivalent application-layer security control that demands authentication and can inspect/filter requests.
* **Restrict Access**: Block external access to **SharePoint Central Administration**, restrict farm and database communications to essential systems, and review **Microsoft's SharePoint Server** security-hardening guidance for role-specific ports, services, and `Web.config` settings.
## Stay Informed and Report Incidents
**CISA** urges users and administrators to review the alert "UPDATE: **Microsoft** Releases Guidance on Exploitation of **SharePoint** Vulnerabilities" and apply all necessary updates. The agency added **CVE-2026-32201**, **CVE-2026-45659**, **CVE-2026-56164**, and **CVE-2026-58644** to its **Known Exploited Vulnerabilities (KEV) Catalog** on various dates in 2026.
Organizations should report any incidents or anomalous activity to **CISA's** 24/7 Operations Center via `[email protected]` or 1-844-Say-CISA (1-844-729-2472).