VYPR
advisoryPublished Jul 15, 2026· 1 source

CISA Warns of Actively Exploited SharePoint Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding three actively exploited vulnerabilities in Microsoft SharePoint Server, urging organizations to apply patches and implement hardening measures.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a stern warning to organizations running Microsoft SharePoint Server, highlighting three vulnerabilities that are currently being actively exploited in the wild. The alert emphasizes the need for immediate patching and enhanced security configurations to prevent further compromise.

The vulnerabilities in question include CVE-2026-32201, a spoofing flaw disclosed in March and confirmed by CISA to be under active exploitation since June. This is compounded by CVE-2026-45659, a critical remote code execution (RCE) vulnerability that, despite Microsoft initially assessing exploitation as "less likely," is now confirmed to be actively used in attacks. The third actively exploited flaw is CVE-2026-56164, a privilege escalation vulnerability that was part of Microsoft's latest Patch Tuesday release.

In addition to these three, CISA also flagged two other critical vulnerabilities from the recent Patch Tuesday: CVE-2026-55040 and CVE-2026-58644. While not yet confirmed as actively exploited, both have been labeled by Microsoft as having "Exploitation More Likely," suggesting a heightened risk of future attacks.

According to CISA, threat actors are chaining these vulnerabilities together to conduct post-exploitation activities. These activities include the theft of Internet Information Services (IIS) machine keys and the use of deserialization techniques, all aimed at establishing persistence on compromised systems and deploying malware. This sophisticated chaining of exploits underscores the severity of the threat and the potential for widespread impact.

The agency's warning echoes previous advisories, referencing an alert from August 2025 that cautioned against "ToolShell" attacks. In that instance, attackers were observed chaining CVE-2025-49706 and CVE-2025-49704 to gain access to SharePoint Servers, leading in some cases to the deployment of Warlock ransomware. While specific threat actor attribution was not provided for the current wave of attacks, Microsoft had previously linked ToolShell exploitation to Chinese nation-state actors.

To mitigate these risks, CISA strongly recommends that organizations apply all available Microsoft security patches for SharePoint Server. Furthermore, enabling the Antimalware Scan Interface (AMSI) for all SharePoint web applications is crucial for enhanced detection capabilities.

Additional hardening measures advised by CISA include conducting thorough threat hunting to identify any signs of existing intrusion, rotating IIS keys to prevent exposure, and blocking external access to SharePoint Central Administration. Robust and tailored logging configurations are also encouraged to aid in the detection of potential exploits and facilitate incident response.

The agency's proactive warning serves as a critical reminder for organizations to maintain vigilance and prioritize the security of their SharePoint environments, which often host sensitive internal data and are prime targets for attackers seeking to establish a foothold within corporate networks.

Synthesized by Vypr AI