Exploited SharePoint

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory warning that attackers are actively exploiting three SharePoint Server vulnerabilitiesCVE‑2026‑32201, CVE‑2026‑45659, and CVE‑2026‑56164. These flaws affect all supported on‑premises SharePoint Server versions, including the Subscription Edition, and allow attackers to bypass authentication, achieve remote code execution, and establish persistence on compromised systems.

Actively Exploited Vulnerabilities

  • CVE‑2026‑32201 — Authentication bypass.
  • CVE‑2026‑45659 — Remote code execution.
  • CVE‑2026‑56164 — Privilege escalation exploited in the wild.

Attackers are using these flaws to:

  • Steal Internet Information Services (IIS) machine keys.
  • Deploy malware for persistence.
  • Conduct post‑exploitation activity across enterprise environments.

Additional Vulnerabilities to Watch

CISA also flagged two recently patched SharePoint flaws as likely targets:

  • CVE‑2026‑55040 — JWT authentication bypass.
  • CVE‑2026‑58644 — Newly patched, attractive to attackers.

Though not yet exploited, these vulnerabilities are considered high‑risk and should be patched immediately.

Exposure Statistics

According to Shadowserver, nearly 10,000 SharePoint servers are exposed to the internet.

  • Over 800 servers remain unpatched against CVE‑2026‑32201 and CVE‑2026‑45659.
  • Unknown numbers may still be vulnerable to CVE‑2026‑56164.

Recommended Defensive Measures

CISA urges administrators to:

  • Apply Microsoft’s latest patches and verify installation.
  • Enable AMSI integration for SharePoint web applications.
  • Use Microsoft Defender Antivirus to detect compromise.
  • Rotate IIS machine keys after hunting for intrusion artifacts.
  • Avoid direct internet exposure unless necessary.
  • Block external access to SharePoint Central Administration.
  • Restrict farm/database communication to required systems.
  • Deploy reverse proxies for exposed servers.

Federal Agency Deadlines

  • CVE‑2026‑56164 must be patched by July 17, 2026, under Binding Operational Directive (BOD) 26‑04.
  • Agencies unable to apply mitigations must discontinue affected servers.

Since November 2021, CISA has flagged 11 exploited SharePoint vulnerabilities, with 7 linked to ransomware campaigns.

Expert in the Cloud Insight

SharePoint remains a prime target for attackers due to its role as a corporate document hub. The combination of authentication bypass, RCE, and privilege escalation makes these flaws particularly dangerous. For defenders, the lesson is clear: shorten patch cycles, harden configurations, and monitor for anomalous activity.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.