Organisations running on-premises SharePoint should patch immediately and hunt for signs of compromise, after the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of three vulnerabilities affecting every supported version of the platform.
In an alert issued on 14 July 2026, CISA said threat actors are exploiting CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164 to gain unauthorised access to on-premises SharePoint Server instances. The flaws affect SharePoint Server Subscription Edition, 2019 and 2016.
The attacks involve remote code execution and post-exploitation activity, including theft of Internet Information Services (IIS) machine keys and deserialisation techniques to gain persistence and deploy malware. Two further vulnerabilities, CVE-2026-55040 and CVE-2026-58644, are not yet known to be exploited but pose a risk if left unpatched, Microsoft has advised.
The warning matters for the many organisations that still run records, document management and intranet workloads on on-premises SharePoint farms. All three exploited flaws have been added to CISA's Known Exploited Vulnerabilities catalogue, the most recent on 14 July 2026.
Recommended Actions
CISA urges organisations to apply the latest Microsoft patches, verify the installation completed successfully, and shorten patching cycles where possible. It also recommends enabling Antimalware Scan Interface (AMSI) integration for each SharePoint web application, with "Full Mode" selected for request body scanning where feasible.
Before rotating IIS machine keys, defenders should hunt for and remediate intrusion artefacts, including machine-key harvesters that could allow keys to be stolen again. CISA points to specific AMSI and Microsoft Defender Antivirus detections, including a webshell detection covering exploit chains on all supported versions.
The agency advises against exposing SharePoint servers directly to the internet unless necessary. Where internet exposure is unavoidable, servers should sit behind a Layer 7 reverse proxy or equivalent application-layer control that requires authentication and can inspect requests. Organisations should also block external access to SharePoint Central Administration and restrict farm and database communications to required systems.
CISA recommends tailored logging to detect exploitation, with telemetry reviewed for anomalous requests, suspicious SharePoint worker-process activity, webshells and machine-key access. Microsoft contributed to the alert, which is available via www.cisa.gov.