CISA Warns of Active Attacks Against Three SharePoint Server Flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations using on-premises Microsoft SharePoint Server to strengthen their defenses after confirming that three vulnerabil...

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations using on-premises Microsoft SharePoint Server to strengthen their defenses after confirming that three vulnerabilities are being exploited in attacks.

The advisory applies to supported SharePoint Server deployments. CISA highlighted CVE-2026-32201, a spoofing vulnerability rated 6.5; CVE-2026-45659, a remote-code-execution flaw rated 8.8; and CVE-2026-56164, a privilege-escalation issue rated 5.3. Microsoft disclosed the first vulnerability in March, while exploitation of the second was reported in June. The third was included in July’s Patch Tuesday release.

The agency also identified two additional critical vulnerabilities that could increase the risk to SharePoint environments. CVE-2026-55040 has a severity score of 9.1, and CVE-2026-58644 is rated 9.8. Neither has been confirmed as exploited, but Microsoft has classified both as more likely to be targeted.

Post-compromise activity

According to CISA, the exploited flaws have been linked to activity after initial compromise. Attackers have reportedly sought to steal Internet Information Services machine keys and use deserialization techniques to maintain access and install malware.

The agency referred defenders to a previous alert concerning “ToolShell” attacks against SharePoint. That campaign involved chaining two earlier vulnerabilities, CVE-2025-49706 and CVE-2025-49704. CISA said those attacks had, in some cases, resulted in Warlock ransomware deployment. The agency did not attribute the latest activity to a specific threat group or country.

CISA advised organizations to apply Microsoft’s current SharePoint security updates and confirm that Antimalware Scan Interface integration is enabled for every SharePoint web application. Defenders should also search for evidence of compromise before rotating IIS machine keys, since changing them prematurely can remove information useful for investigating an intrusion.

  • Limit SharePoint exposure to the internet where possible.
  • Restrict external access to SharePoint Central Administration.
  • Maintain tailored logging capable of identifying exploitation and post-compromise activity.
  • Conduct threat hunting across affected environments before making recovery changes.