CISA sounds alarm on SharePoint Server flaws being used to break in right now
The US cyber agency says attackers are chaining three unpatched holes in self-hosted SharePoint to bypass logins, run code and stay hidden. Nearly 10,000 servers sit exposed online.

Key points
- The US Cybersecurity and Infrastructure Security Agency (CISA) warned on Tuesday that hackers are actively exploiting three flaws in self-hosted Microsoft SharePoint Server.
- The three bugs are tracked as CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164, and affect every supported on-premises SharePoint version.
- Watchdog group Shadowserver counts roughly 10,000 SharePoint servers exposed to the internet, with more than 800 still unpatched against two of the flaws.
- US federal agencies have until 17 July to patch CVE-2026-56164 or pull the servers offline, under Binding Operational Directive 26-04.
- Since November 2021, CISA has flagged 11 SharePoint bugs exploited in attacks, 7 of them tied to ransomware, which is malicious software that locks a company's files until it pays up.
CISA's advisory, first reported by BleepingComputer, is the kind of note that lands in an SRE's inbox on a Tuesday and ruins the week.
The target is Microsoft SharePoint Server, the on-premises version of the document and intranet platform that thousands of organisations still run inside their own data centres. Not the cloud version. The one your ops team maintains.
Attackers are chaining three separate holes. First they bypass the login. Then they get remote code execution, meaning they can run their own commands on the server. Then they steal something called IIS machine keys, cryptographic secrets used by the Windows web server software (Internet Information Services), which lets them keep coming back even after a reboot or patch.
In practice, that last step is what makes this ugly. Rotate the passwords all you want. If the machine keys are gone, the attacker still has a spare set.
How bad is the exposure?
Shadowserver, an internet-scanning non-profit, currently sees about 10,000 SharePoint Server instances exposed directly to the public internet. Over 800 of those are unpatched against CVE-2026-32201 and CVE-2026-45659. The count for CVE-2026-56164 is not yet clear, and some of those boxes will be honeypots (fake servers set up to lure attackers).
CISA also flagged two more SharePoint bugs Microsoft patched Tuesday, CVE-2026-55040 and CVE-2026-58644, as "attractive targets" even though nobody has been caught using them yet.
All three actively-exploited flaws are now on CISA's Known Exploited Vulnerabilities list. Federal agencies have until 17 July to fix CVE-2026-56164 or turn the servers off. Private companies have no such deadline, but the guidance is the same.
What should IT teams actually do?
Patch, obviously. But the advisory is unusually blunt that patching alone is not enough here.
The failure mode here is the machine keys. If an attacker got in before you patched, they may already have them. CISA's guidance: hunt for signs of intrusion first, clean up, then rotate the keys. Doing it the other way round is theatre.
Other steps in the advisory are the sort of thing every SharePoint admin has been told for a decade and quietly ignored. Turn on AMSI, the Windows Antimalware Scan Interface, so security tools can inspect what SharePoint is actually running. Run Microsoft Defender Antivirus on the servers. Block public access to the SharePoint Central Administration console. Put a Layer 7 reverse proxy in front, so a filtering server inspects web traffic before it ever reaches SharePoint.
And the one line that sits under all of it: do not put SharePoint Server on the public internet unless you genuinely have to.
Seven of the 11 SharePoint bugs CISA has flagged since 2021 have been used in ransomware attacks. That is not a coincidence. Internet-facing SharePoint has become one of the reliable front doors for extortion crews.
One thing the post-mortem will say, again: the patch was available, and the box was on the internet. Fix that order.



