Virtual Round Table · Jul 22

View the event
CISA Warns of Active Mass Exploitation of On-Premises SharePoint, and Patching Alone Will Not Close the Door
Cybersecurity

CISA Warns of Active Mass Exploitation of On-Premises SharePoint, and Patching Alone Will Not Close the Door

Three SharePoint Server flaws are being chained in the wild to steal IIS machine keys and persist across patches. CISA gave federal agencies until July 17, and the rest of us should treat the clock as ours too.

PublishedJuly 15, 2026
Read time6 min read
Share

CISA flags an active SharePoint assault

On July 14, CISA issued an advisory confirming that attackers are actively exploiting three vulnerabilities in on-premises Microsoft SharePoint Server, and the agency wants defenders to treat this as an emergency. The trio, tracked as CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, lets an attacker bypass authentication, gain remote code execution, and establish persistence. All three now sit in CISA's Known Exploited Vulnerabilities catalog, with CVE-2026-56164 added the same day the advisory landed. For any organization still running SharePoint on its own servers, this is the kind of chained, internet-reachable weakness that turns a single exposed portal into a full network foothold within hours of discovery.

The timing matters for us. CVE-2026-56164 shipped as one of the exploited zero-days in Microsoft's record July Patch Tuesday, which addressed more than 570 fixes across the product line. CISA's follow-up advisory the same afternoon signals that patching alone will not settle the risk, because attackers already moved to post-exploitation. The agency set a federal remediation deadline of July 17 for CVE-2026-56164 under Binding Operational Directive 26-04, one of the tightest windows we have seen this year. Private enterprises are not bound by that clock, yet the deadline reads as a clear message about how fast this particular chain is being weaponized in the wild.

Inside the exploitation chain

The mechanics explain the urgency. According to CISA, threat actors are using the flaws to bypass authentication and reach remote code execution, then pivoting to steal Internet Information Services machine keys from compromised servers. Those keys are the crown jewels of a SharePoint deployment, because they let an attacker forge authentication tokens and ViewState payloads that survive a reboot and even a patch. Once a machine key leaks, rotating credentials and applying updates does not evict the intruder. That post-exploitation step is what separates this campaign from a routine patch cycle, and it is why CISA is pushing hardening guidance alongside the standard advice to update every affected server immediately.

The exposure spans every supported self-hosted edition, including SharePoint Server Subscription Edition, 2019, and 2016. CVE-2026-56164 itself carries a modest CVSS score of 5.3, rated Moderate, which is a useful reminder that severity ratings do not always track real-world danger. The flaw is a missing authentication check on a critical function, reachable over the network with no user interaction, so the low score understates how trivially it can be triggered. Microsoft also patched two related SharePoint bugs, CVE-2026-55040 and CVE-2026-58644, that are not yet exploited. Security teams should assume the exploited set will expand as researchers reverse the patches over the coming days.

What CISA wants defenders to do

CISA's hardening checklist goes beyond patching. The agency recommends enabling the Antimalware Scan Interface and Microsoft Defender Antivirus on SharePoint hosts, keeping the servers off the public internet where possible, and blocking external access to SharePoint Central Administration. It also advises placing a Layer 7 reverse proxy in front of any internet-facing deployment to filter malicious requests before they reach the application. For teams that cannot patch instantly, rotating IIS machine keys after applying updates is essential, because a stolen key retains its value until it is replaced. This is standard incident-response hygiene, and the advisory frames it as mandatory for any exposed system.

For CIOs and CISOs, the practical decision is whether on-premises SharePoint still earns its place in the estate. Every one of these campaigns rewards internet-exposed, self-managed collaboration servers, and each incident adds operational cost in emergency patching, key rotation, and forensic review. Migrating to SharePoint Online moves the patching burden to Microsoft, though it introduces its own identity and data-residency questions. Organizations that must keep SharePoint on their own hardware should be segmenting it aggressively, monitoring for anomalous ViewState activity, and treating any exposed instance as a priority target. The recurring pattern here is a strong argument for shrinking the on-premises footprint wherever governance and compliance allow.

A familiar pattern from ToolShell

We have seen this movie before. In 2025, the ToolShell campaign tore through unpatched on-premises SharePoint servers using a similar chain of authentication bypass and remote code execution, compromising government and enterprise targets at scale. The 2026 flaws revive that playbook with fresh vulnerabilities, and the reuse of IIS machine key theft for persistence shows the attackers learned what works. Groups that specialize in SharePoint exploitation have built reliable tooling, so the gap between patch release and mass exploitation keeps shrinking. When a proven attack surface gets a new set of bugs, the operational assumption should be that exploitation is already broad by the time an advisory appears.

The through line for leadership is patch velocity on identity-adjacent infrastructure. SharePoint sits close to Active Directory, IIS, and single sign-on, so a compromise rarely stays contained to documents. The machine-key theft angle means an attacker who lands early can maintain access through several patch cycles, which raises the stakes for detection and response. Boards increasingly ask how long critical patches take to reach production, and this advisory gives security teams a concrete example to benchmark against. If your organization cannot meet something close to CISA's July 17 window on an actively exploited flaw, that gap is worth surfacing in the next risk review.

The bottom line for security teams

Our recommendation is direct. Treat any internet-facing SharePoint Server as compromised until proven otherwise, then work backward. Apply the July updates, rotate IIS machine keys, and hunt for the post-exploitation indicators CISA and Microsoft have published, including unexpected ViewState requests and new persistence mechanisms. Confirm that Defender Antivirus and the Antimalware Scan Interface are active, and pull Central Administration off any externally reachable path. The cost of this work is real, yet it is far smaller than the cost of a forged-token intrusion that quietly persists across quarters. Speed is the single variable defenders control here, and the exploitation timeline leaves very little slack.

The broader lesson lands on architecture. Each SharePoint emergency reinforces that self-hosted collaboration platforms carry a standing tax in patch labor and breach risk, and that tax compounds as attacker tooling matures. Leaders weighing build versus buy for internal collaboration now have another data point favoring managed services for commodity workloads, provided identity and compliance requirements can be met. For the workloads that must stay on premises, the answer is disciplined segmentation, continuous monitoring, and a patch pipeline that can move within days. The organizations that come through these campaigns cleanly are the ones that decided, well in advance, how fast they can move.

Tagged#news#security#cisa#sharepoint#cve-2026-56164#microsoft#toolshell#zero-day