CISA warns SharePoint operators after three flaws are exploited
The agency says attackers are abusing on-premises SharePoint Server bugs tied to persistence, malware deployment and IIS machine key theft.
By Renata Fuchs · Policy Reporter
· 3 min read
The US Cybersecurity and Infrastructure Security Agency is warning organizations that run on-premises SharePoint Server to tighten protections after three supported-version vulnerabilities were observed in active attacks. For enterprise IT and security teams, the notice puts fresh pressure on a Microsoft server product that remains widely deployed inside large organizations and has become a repeat target for ransomware and state-linked intrusion campaigns.
CISA singled out three flaws affecting supported versions of SharePoint Server. The first is CVE-2026-32201, a spoofing issue with a CVSS score of 6.5 that Microsoft disclosed in March and that CISA confirmed as exploited in June. The second is CVE-2026-45659, an 8.8-rated remote code execution vulnerability disclosed in June. Microsoft had previously assessed exploitation of that bug as “less likely,” but CISA said last week it had been used in attacks.
The third is CVE-2026-56164, a 5.3-rated privilege escalation flaw included in Microsoft’s latest Patch Tuesday release. That update covered 622 vulnerabilities, a record Patch Tuesday count, according to the notice.
Two more SharePoint bugs add risk
CISA also highlighted two critical SharePoint vulnerabilities from the same Patch Tuesday cycle that have not been seen in active exploitation so far. CVE-2026-55040 carries a 9.1 severity score, while CVE-2026-58644 is rated 9.8. Microsoft has labeled exploitation of both as “more likely,” which means defenders cannot treat the current exploitation list as a complete view of SharePoint exposure.
The agency said the three exploited flaws are linked to activity after initial compromise, including theft of Internet Information Services machine keys and use of deserialization techniques. CISA said those actions are intended to help attackers maintain access and install malware. The agency did not provide technical indicators in the warning or say what specific incident activity prompted the advisory.
CISA pointed defenders to an August 2025 alert on so-called ToolShell attacks against SharePoint. In that earlier warning, the agency said attackers were chaining CVE-2025-49706 and CVE-2025-49704 to compromise SharePoint Servers and, in some cases, deploy Warlock ransomware. CISA did not attribute the activity in either SharePoint warning to a named group or country. Microsoft said in July 2025 that Chinese nation-state actors had exploited ToolShell vulnerabilities.
What CISA is telling defenders to do
CISA’s guidance starts with the routine but necessary step of applying Microsoft’s latest security updates. The agency also urged organizations to confirm that Antimalware Scan Interface integration is enabled for every SharePoint web application.
For organizations that suspect exposure, CISA advised threat hunting for signs of compromise before rotating IIS keys. It also recommended limiting public internet exposure for SharePoint where possible and blocking external access to SharePoint Central Administration.
The agency also called for logging that is specific enough to identify exploit attempts and related intrusion activity. That point matters because SharePoint compromises can move from an application-layer bug to durable access if attackers obtain IIS machine keys or abuse server-side deserialization paths. CISA did not say how many organizations have been affected, which sectors were targeted, or whether the observed activity is tied to ransomware, espionage, or both.
This story draws on original reporting from The Register.