CISA Warns: Patch Actively Exploited SharePoint Flaws in 2026
cisasharepoint servercve-2026-45659cve-2026-32201cve-2026-56164microsoftcybersecurityvulnerabilitypatchingrcekevincident response

CISA Warns: Patch Actively Exploited SharePoint Flaws in 2026

CISA has issued a fresh warning regarding actively exploited SharePoint flaws, specifically highlighting CVE-2026-45659, which was added to its Known Exploited Vulnerabilities (KEV) catalog on July 1, 2026. This comes as CISA also tracks two other recently added SharePoint KEVs: CVE-2026-32201 (April 14, 2026) and the latest, CVE-2026-56164 (July 14, 2026). Federal agencies face a strict three-day patching deadline for these, underscoring the urgency for all organizations to address these critical exploited SharePoint flaws.

The Incident: Another Wave of Exploited SharePoint Flaws

The addition of CVE-2026-45659 to the KEV catalog is a significant development. The KEV catalog serves as a definitive list of vulnerabilities that have been observed in the wild, providing federal agencies—and by extension, all organizations—with a clear mandate for immediate action against these exploited SharePoint flaws. Its inclusion means that this isn't a theoretical threat; it's an active one, with real-world consequences. The rapid succession of SharePoint vulnerabilities appearing in the KEV catalog, including CVE-2026-32201 and CVE-2026-56164, paints a concerning picture of ongoing targeting.

CVE-2026-45659, for instance, is a deserialization bug with a CVSS score of 8.8. Microsoft patched it in late May 2026. This vulnerability allows an authenticated attacker, even with Site Member permissions, to execute arbitrary code. This makes it incredibly easy for attackers to gain initial access, turning a seemingly low-privilege account into a critical entry point for further compromise. Addressing these actively exploited SharePoint flaws is paramount.

The Mechanism: From Deserialization to Deep Compromise

Let's break down how these attacks typically unfold, using CVE-2026-45659 as an example. This vulnerability leverages deserialization of untrusted data, a common class of bug where an application attempts to reconstruct a data object from an untrusted source. Attackers craft malicious serialized data, which the SharePoint server then attempts to process without proper validation, leading directly to remote code execution (RCE).

Once RCE is achieved, attackers often steal Internet Information Services (IIS) machine keys. These keys enable them to forge authentication tokens, establish persistence, and deploy additional malware. This sequence clearly demonstrates how an initial foothold can quickly escalate to a full system compromise, bypassing many traditional security controls. The ability to forge authentication tokens is particularly dangerous, as it allows attackers to impersonate legitimate users or services, making detection extremely difficult. This is a common tactic seen with actively exploited SharePoint flaws.

The Impact: Why Patching Feels Like a Persistent Challenge

The scope of impact is broad: all supported on-premises SharePoint Server versions—Subscription Edition, 2019, and 2016—are vulnerable, making it a widespread concern. This broad attack surface means that many organizations, especially those with complex, legacy deployments, are at risk. The sheer number of servers and farms that need to be updated simultaneously can be a logistical nightmare, often requiring extensive testing to ensure business continuity.

IT teams are understandably frustrated by the recurring deserialization bugs. This isn't a new phenomenon; for instance, Microsoft patched a SharePoint zero-day in April 2026, and CISA issued another warning in March 2026 about a different flaw being targeted. They often point out, correctly, that CVSS scores can be misleading. While a CVSS score provides a technical severity rating, its active exploitation makes it a top priority, regardless of its numerical value. An 8.8 CVSS score might seem high, but for an actively exploited vulnerability, even a lower score would warrant immediate attention. The real-world impact of these exploited SharePoint flaws far outweighs their theoretical rating.

The low privilege requirement for some of these vulnerabilities, such as Site Member permissions for CVE-2026-45659, is a significant concern. Most organizations contend with compromised user accounts; granting an attacker RCE with minimal effort poses a serious risk. Operational challenges further complicate matters: the difficulty of gaining visibility across all SharePoint farms, and the struggle to confirm patch installation. This environment creates compliance risks when patches are available but not applied promptly. The complexity of enterprise environments, coupled with the need for minimal downtime, often leads to delayed patching cycles, leaving organizations exposed to these actively exploited SharePoint flaws for longer than necessary.

<img src="

IT administrator in a server room.
IT administrator in a server room.
" alt="IT administrator addressing actively exploited SharePoint flaws">
IT administrator facing persistent SharePoint vulnerabilities.

The Response: Beyond Just Applying Updates

So, what's the immediate action? Apply patches. Microsoft has released updates, including a fix for CVE-2026-45659 in late May. Organizations must apply these updates and verify their installation. Reduce exposure by shortening patching cycles. This isn't merely about running an update; it's about a rigorous process of testing, deployment, and verification to ensure the patch has been successfully applied across all affected servers and that no new issues have been introduced. For many, this means re-evaluating their entire patch management strategy to prioritize critical, actively exploited SharePoint flaws.

Beyond patching, CISA advocates for stronger hardening measures. Enable Antimalware Scan Interface (AMSI) integration for each SharePoint web application, prioritizing "Full Mode" for request body scanning where feasible. AMSI provides a crucial layer of defense by allowing applications to integrate with any antimalware product present on the system to scan content for malicious payloads. Specific AMSI detections to monitor include Exploit:Script/SuspSignoutReqBody.A (for Subscription Edition), Exploit:Script/ToolPaneAuthBypass.A (request header scanning), and Exploit:Script/ToolPaneAuthBypass.C (RCE coverage). Microsoft Defender Antivirus (MDAV) can also detect post-exploitation activity, such as Backdoor:MSIL/LeakFang.A!dha, which indicates IIS machine key theft. Implementing these proactive measures can significantly reduce the attack surface and provide early warning signs of compromise from exploited SharePoint flaws.

However, defenses extend beyond tooling. Organizations must actively hunt for intrusion artifacts before rotating IIS machine keys. Establish tailored logging for anomalous requests, suspicious worker-process activity, and webshells. Do not expose SharePoint Servers directly to the internet; place them behind a Layer 7 reverse proxy that enforces authentication and inspects requests. A Layer 7 reverse proxy acts as an intelligent gatekeeper, capable of deep packet inspection and filtering malicious traffic before it ever reaches the SharePoint server. This is a critical control for preventing initial access. Block external access to Central Administration. These steps aren't optional; they're fundamental to security. A detection must trigger an immediate incident response protocol, ensuring that any signs of compromise from actively exploited SharePoint flaws are addressed swiftly and effectively.

<img src="

Network cable being plugged into a server.
Network cable being plugged into a server.
" alt="Network connection in a high-density server rack, crucial for securing exploited SharePoint flaws.">
Network connection in a high-density server rack.

The recurring nature of SharePoint vulnerabilities, particularly deserialization bugs, highlights the inherent challenges in managing complex, on-premises enterprise software. A reactive patching strategy isn't enough; organizations need a proactive, layered defense that fits their operational realities. This means improving visibility, speeding up response, and recognizing that any actively exploited vulnerability, regardless of its CVSS score, needs immediate action. If you're still using on-premises SharePoint, treat it as the critical, high-risk asset it is, and secure it rigorously against these persistent exploited SharePoint flaws.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.