TL;DR
CISA has confirmed active exploitation of three SharePoint vulnerabilities: CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. Threat actors chain them to gain access to on-premises SharePoint Server instances, steal IIS machine keys, and deploy malware. Two more flaws, CVE-2026-55040 and CVE-2026-58644, are patched but not yet known to be exploited.
Why It Matters
All three exploited SharePoint vulnerabilities now sit in CISA’s Known Exploited Vulnerabilities Catalog. CVE-2026-32201 landed there on April 14, 2026, CVE-2026-45659 on July 1, and CVE-2026-56164 on July 14. The attacks target every supported on-premises version, so most SharePoint estates are in scope. Furthermore, stolen IIS machine keys give attackers persistence that survives basic patching. Cleanup therefore requires threat hunting, not just an update.
How the Attacks Work
Each flaw plays a different role in the chain. CVE-2026-32201 abuses improper input validation to perform spoofing over a network. CVE-2026-45659 allows an authorized attacker to run code through deserialization of untrusted data. Meanwhile, CVE-2026-56164 exposes a critical function with missing authentication, letting an unauthorized attacker elevate privileges remotely. After the initial break-in, actors steal IIS machine keys and use deserialization tricks to keep persistence and drop malware. Microsoft’s AMSI signatures, such as ToolPaneAuthBypass and SuspSignoutReqBody, detect known exploit attempts.
- Total: 5 CVEs
- Severity: 2 Critical · 1 High · 2 Medium
- Actively exploited: 3 (zero-day / KEV)
- Highest severity: 9.8 (Critical · CVSSv3) — CVE-2026-58644
- Action: Apply the latest security updates now
Notable CVEs
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-58644 | 9.8 | CWE-502 | 16.0.5556.1005, 16.0.10417.20153, 16.0.19725.20384 | Not exploited |
| CVE-2026-55040 | 9.1 | CWE-1390 | 16.0.5561.1001, 16.0.10417.20175, 16.0.19725.20434 | Not exploited |
| CVE-2026-45659 | 8.8 | CWE-502 | 16.0.5552.1002, 16.0.10417.20128, 16.0.19725.20280 | Exploited |
| CVE-2026-32201 | 6.5 | CWE-20 | 16.0.5548.1003, 16.0.10417.20114, 16.0.19725.20210 | Exploited |
| CVE-2026-56164 | 5.3 | CWE-306 | 16.0.5561.1001, 16.0.10417.20175, 16.0.19725.20434 | Exploited |
Affected Versions
The flaws affect all supported on-premises SharePoint Server releases: Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. SharePoint Online in Microsoft 365 is not listed in the alert.
Patch and Mitigation Steps
Apply the latest Microsoft updates and verify that installation completes. Next, enable AMSI integration for every SharePoint web application and set Request Body Scan Mode to Full where feasible. Hunt for intrusion artifacts, including machine-key harvesters, before rotating IIS machine keys. In addition, keep SharePoint off the open internet, or place it behind an authenticating Layer 7 reverse proxy. Block external access to Central Administration and restrict farm and database traffic. Finally, review the CISA alert on SharePoint hardening and Microsoft’s guidance, and watch for Defender detections such as Backdoor:MSIL/LeakFang.A!dha.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.