CISA Warns of Active Attacks on SharePoint Servers, Urges Immediate Patching
Three flaws are being exploited to break into on-premises SharePoint, steal cryptographic keys, and plant malware. Two more just disclosed could be next.

Key points
- CISA confirmed active exploitation of three SharePoint Server flaws (CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164) that let attackers run their own code on the server.
- The bugs affect every supported on-premises version: SharePoint Server Subscription Edition, 2019, and 2016.
- Two further flaws, CVE-2026-55040 and CVE-2026-58644, are patched but not yet seen in attacks, according to Microsoft.
- CISA added the three exploited CVEs to its Known Exploited Vulnerabilities catalog on April 14, July 1, and July 14, 2026.
- Attackers are stealing IIS machine keys to keep access even after patches are applied.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says hackers are actively breaking into on-premises SharePoint servers by chaining three separate flaws. SharePoint is Microsoft's document-sharing and intranet software that many organisations run on their own hardware rather than in the cloud.
The three bugs being exploited are CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. Together they give an attacker remote code execution, which is jargon for running any command they like on the target machine as if they were sitting at its keyboard.
Every supported on-premises version is affected: Subscription Edition, 2019, and 2016.
What are the attackers actually doing once they get in?
They are stealing the server's IIS machine keys and using them to keep a foothold. IIS is the web-server software SharePoint runs on top of, and its machine keys are secret values used to sign and encrypt data passed between the browser and the server. Steal those keys and you can forge trusted requests, which means a patched server can still be re-entered later using the stolen secrets.
CISA's advisory (published through the agency's alerts channel) describes the follow-on activity as deserialization attacks, a technique where the server is tricked into turning attacker-supplied data back into a live program object, and dropping webshells, small hidden scripts that let the attacker send commands over normal-looking web traffic.
Microsoft contributed to the alert. It has also flagged two more freshly disclosed bugs, CVE-2026-55040 and CVE-2026-58644, that have not been seen in attacks yet but should be patched anyway.
What should administrators do right now?
Apply Microsoft's latest SharePoint security updates, verify the install completed, and shorten the gap between patch cycles where possible. That is step one and it is not optional.
Step two is switching on Antimalware Scan Interface (AMSI) integration for every SharePoint web application, and setting Request Body Scan Mode to Full Mode where the environment can handle it. AMSI is a Windows feature that lets antivirus tools inspect scripts and web requests before they run. Microsoft has published signatures that specifically catch the observed exploit attempts, including Exploit:Script/SuspSignoutReqBody.A and two variants of Exploit:Script/ToolPaneAuthBypass. A separate Defender signature, Backdoor:MSIL/LeakFang.A!dha, flags the post-break-in activity involving stolen IIS secrets.
Before rotating IIS machine keys, hunt for the tools attackers use to harvest them. Rotate keys on a compromised box and the intruder simply steals the new ones.
CISA also wants SharePoint Central Administration blocked from the public internet, and any internet-facing SharePoint placed behind a Layer 7 reverse proxy, a filtering gateway that inspects web traffic and requires authentication before requests reach the server.
Does this affect ordinary users?
Not directly. This is an enterprise-server problem, not a home-user one. But if your employer, doctor's office, or local council runs an internal SharePoint portal, the IT team there needs to be patching this week, not next month. Staff who use SharePoint should be alert to unusual login prompts or file-sharing requests, and report anything odd rather than click through it.
CISA asks organisations to report suspected intrusions to its 24/7 operations centre at 1-844-729-2472.



