Press TechRound interviews Secure.com CEO on the future of AI security
Read

CISA Warns: Three SharePoint Flaws Are Under Attack Right Now, and Patching Might Not Save You

CISA says attackers are exploiting three SharePoint Server bugs to steal IIS machine keys, plant malware, and keep access after patching.

Dateline: July 15, 2026

The SharePoint Flaw Your Intern’s Account Can Trigger

Patch Tuesday landed yesterday. So did a warning that should ruin a few weekends.

CISA told administrators that attackers are breaking into on premises SharePoint Servers using three separate flaws, and that installing the update is only step one. Fix the bug, and the intruder who got in last month may still be sitting there with a key you handed them.

What Happened?

On July 14, CISA published an alert confirming active exploitation of CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 against on premises SharePoint Server instances. All supported versions are affected, including Subscription Edition, 2019, and 2016.

The three bugs did not arrive together. CISA added CVE-2026-32201 to its Known Exploited Vulnerabilities Catalog on April 14, CVE-2026-45659 on July 1, and CVE-2026-56164 on July 14. Three months, three additions, same product. That is a campaign, not a coincidence.

Each flaw plays a different role. CVE-2026-32201 is a spoofing bug from weak input validation, letting an unauthenticated attacker impersonate trusted content over the network. CVE-2026-45659 carries a CVSS score of 8.8 and comes from deserialization of untrusted data.

Microsoft says any authenticated user with only Site Member permissions can run code remotely on the server. Site Member is what you give the intern. CVE-2026-56164 is an elevation of privilege flaw reported by Google’s incident responders and an anonymous researcher, remotely exploitable in low complexity attacks.

Chained together, attackers reach remote code execution, then pivot to stealing IIS machine keys and using deserialization for persistence and malware delivery.

There is a wrinkle worth noting. Microsoft originally rated CVE-2026-45659 as “exploitation less likely.” It was also left out of the standard May Patch Tuesday advisory, so teams that triage by bulletin may never have flagged it. CISA’s KEV listing settled the argument.

CISA also flagged CVE-2026-55040 and CVE-2026-58644, patched Tuesday and considered attractive targets, though not yet seen exploited.

The Impact

The machine key theft is the part that matters. Stolen IIS machine keys let an attacker forge data that an ASP.NET application treats as trusted, bypassing authentication and keeping a backdoor alive after the original hole is closed. A patched farm can still be a compromised farm.

The exposure numbers are not comforting. Shadowserver tracks close to 10,000 internet exposed SharePoint servers, with more than 800 unpatched. And SharePoint has history: since November 2021, CISA has flagged 11 SharePoint vulnerabilities exploited in attacks, seven of them in ransomware campaigns.

Federal civilian agencies have until July 17 to fix CVE-2026-56164 under Binding Operational Directive 26-04, or pull the servers offline. Everyone else gets no deadline, which historically means later.

How to Avoid This

CISA’s guidance has a specific order, and the order is the point. Hunt first, rotate second.

Apply the correct cumulative update for your version, then verify the build number on every server in the farm rather than trusting the deployment console. Run the SharePoint Products Configuration Wizard on each server and reset IIS.

Hunt for intrusion artifacts before rotating machine keys. Rotate too early and you destroy the evidence while the attacker keeps their foothold.

Turn on AMSI integration for SharePoint web applications and pair it with Microsoft Defender Antivirus detections. Review telemetry for odd requests, suspicious SharePoint worker process behavior, webshells, and machine key access.

Keep SharePoint off the open internet, or put it behind a Layer 7 reverse proxy that authenticates and inspects requests. Block external access to Central Administration and limit farm and database traffic to systems that need it.

IOCs

CISA did not publish indicators with this alert. From prior SharePoint intrusion research, these patterns remain useful for hunting:

Webshell drops in the LAYOUTS directory, including spinstall0.aspx and case altered variants such as SPinstall0.aspx and spinstall1.aspx, under C:\Program Files\Common Files\microsoft shared\Web Server Extensions\TEMPLATE\LAYOUTS
Base64 encoded PowerShell delivered through cmd.exe that writes .aspx files into SharePoint paths The IIS worker process w3wp.exe spawning unexpected child processes Unexplained requests, new accounts, or config changes dated before you installed the July update

Treat these as historical patterns, not confirmed indicators for this specific campaign.

Your Patch Landed. Did Anyone Check?

Most teams find out they are exposed when someone reads a news article. That gap between a KEV listing and a verified fix is where these attacks live.

Secure.com’s Infrastructure Security Teammate closes it:

  • Watches the KEV catalog daily and matches new listings against your actual asset inventory, so you know within minutes whether CVE-2026-56164 touches you
  • Flags internet exposed servers carrying exploited CVEs and maps the blast radius before an attacker walks it
  • Starts an SLA clock on KEV listed findings and routes critical systems through human approval instead of blind auto patching
  • Validates that a patch actually took across every node in the farm, not just the one the console reported
  • Logs the whole chain to your risk register, which is what the auditor asks for anyway