Critical

CISA Urges SharePoint Hardening After New Exploitations

All CISA Advisories
Actively Exploited

Overview

CISA has issued a warning about active exploitation of several vulnerabilities in on-premises SharePoint Server instances, specifically CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. These vulnerabilities allow attackers to execute remote code and potentially steal sensitive data from affected systems. All supported versions of SharePoint Server, including the Subscription Edition, 2019, and 2016, are at risk. Organizations are advised to monitor their SharePoint Servers for unusual activities and to apply the latest patches from Microsoft. Additional vulnerabilities have been identified but are not yet known to be exploited, emphasizing the need for prompt updates and hardening measures to prevent possible breaches.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: On-premises SharePoint Server instances (Subscription Edition, 2019, 2016), Microsoft
  • Action Required: Apply the latest patches and security updates from Microsoft, verify installation completion, enable AMSI integration for each SharePoint web application, use the ‘Full Mode’ option for Request Body Scan Mode, monitor for specific AMSI and MDAV detections, rotate IIS machine keys after hunting for intrusion artifacts, establish tailored logging mechanisms, avoid exposing SharePoint Servers directly to the internet, and follow Microsoft’s SharePoint Server security-hardening guidance.
  • Timeline: Newly disclosed

Original Article Summary

CISA is aware of active exploitation of vulnerabilities CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, enabling cyber threat actors to gain unauthorized access to on-premises SharePoint Server instances. These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware. Organizations should monitor affected SharePoint Servers closely for any signs of exploitation or unusual activity. Additionally, the following newly disclosed CVEs are not yet known to have been exploited, but Microsoft has identified them as posing a potential risk if left unpatched: CVE-2026-55040 CVE-2026-58644 CISA urges organizations to detect and remediate a potential compromise by implementing the following recommendations: Apply the latest patches and security updates from Microsoft, verify that installation completes successfully, and shorten patching cycles when possible. Verify that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application. Follow Microsoft’s Configure AMSI integration with SharePoint Server guidance to ensure proper configuration and select the “Full Mode” option for the Request Body Scan Mode, where feasible. When compromise is expected, use the following AMSI and Microsoft Defender Antivirus (MDAV) detections, and implement your organization’s incident response plan for any positive detections: AMSI: Exploit:Script/SuspSignoutReqBody.A – request body scanning; SharePoint Server Subscription only; Microsoft has blocked observed attempts. AMSI: Exploit:Script/ToolPaneAuthBypass.A – request header scanning; SharePoint Server 2016, 2019, and Subscription Edition. AMSI: Exploit:Script/ToolPaneAuthBypass.C – RCE coverage; SharePoint Server 2016, 2019, and Subscription Edition. MDAV: Backdoor:MSIL/LeakFang.A!dha – post-exploitation activity alert involving IIS-protected secrets. In addition, CISA recommends that organizations implement the following SharePoint Server hardening measures: Before rotating IIS machine keys, hunt for and remediate any intrusion artifacts, including machine-key harvesters, that could allow for the keys to be stolen again. Review Microsoft’s Improved ASP.NET view state security and key management for best practices. Establish tailored logging mechanisms to detect and monitor exploitation activities. Review telemetry for anomalous requests, suspicious SharePoint worker-process activity, webshells, and machine-key access. For more information, see CISA’s Best Practices for Event Logging and Threat Detection. Avoid exposing SharePoint Servers directly to the internet unless necessary; and if necessary, only configure a SharePoint Server behind a Layer 7 reverse proxy or equivalent application-layer security control that requires authentication and can inspect and filter requests. Block external access to SharePoint Central Administration, restrict farm and database communications to required systems, and review Microsoft’s SharePoint Server security-hardening guidance for role-specific ports, services, and Web.config settings. CISA urges users and administrators to review the Alert UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities and apply necessary updates. CISA added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-32201 on April 14, 2026; CVE-2026-45659 on July 1, 2026; and CVE-2026-56164 on July 14, 2026. Note: CISA may update this Alert to reflect new guidance issued by CISA or other parties. Organizations should report incidents or anomalous activity to CISA via CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or 1-844-Say-CISA (1-844-729-2472). Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. Acknowledgements Microsoft contributed to this Alert.

Impact

On-premises SharePoint Server instances (Subscription Edition, 2019, 2016), Microsoft

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Newly disclosed

Remediation

Apply the latest patches and security updates from Microsoft, verify installation completion, enable AMSI integration for each SharePoint web application, use the ‘Full Mode’ option for Request Body Scan Mode, monitor for specific AMSI and MDAV detections, rotate IIS machine keys after hunting for intrusion artifacts, establish tailored logging mechanisms, avoid exposing SharePoint Servers directly to the internet, and follow Microsoft’s SharePoint Server security-hardening guidance.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to CVE, Microsoft, Exploit, and 3 more.

Related Coverage

ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access

The Hacker News

The ShadowPad malware is exploiting a recently patched vulnerability in Microsoft Windows Server Update Services (WSUS), identified as CVE-2025-59287, allowing attackers to gain full system access. This exploitation highlights the critical need for organizations to promptly apply security updates to vulnerable systems to prevent unauthorized access.

Nov 24, 2025

⚡ Weekly Recap: Fortinet Exploit, Chrome 0-Day, BadIIS Malware, Record DDoS, SaaS Breach & More

The Hacker News

This week, significant cybersecurity threats emerged as hackers exploited new 0-day vulnerabilities in Fortinet and Chrome, infiltrating supply chains and SaaS tools. The rapid response from major companies like Microsoft, Salesforce, and Google highlights the severity of these attacks and the ongoing challenges in securing trusted applications and software updates.

Nov 24, 2025

Microsoft Highlights Security Risks Introduced by New Agentic AI Feature

SecurityWeek

Microsoft has raised concerns about the security risks associated with its new Agentic AI feature, highlighting the potential for AI agents to engage in malicious activities like data exfiltration and malware installation if not properly secured. This underscores the critical need for robust security controls to mitigate these risks.

Nov 24, 2025

ToddyCat’s New Hacking Tools Steal Outlook Emails and Microsoft 365 Access Tokens

The Hacker News

ToddyCat, a threat actor, has developed a new tool called TCSectorCopy to steal Outlook emails and Microsoft 365 access tokens by exploiting the OAuth 2.0 authorization protocol through users' browsers. This poses a significant threat to corporate email security, as it allows unauthorized access to sensitive information outside the compromised infrastructure.

Nov 25, 2025

Microsoft: Security keys may prompt for PIN after recent updates

BleepingComputer

Microsoft has alerted users that FIDO2 security keys may require a PIN for sign-in following recent Windows updates since September 2025. This change could affect user experience and security practices, particularly for those relying on these security keys for authentication.

Nov 26, 2025

Microsoft to secure Entra ID sign-ins from script injection attacks

BleepingComputer

Microsoft is set to enhance the security of its Entra ID authentication system to protect against external script injection attacks starting in mid-to-late October 2026. This improvement aims to mitigate potential vulnerabilities that could be exploited by attackers to compromise user sign-ins.

Nov 26, 2025