CISA Warns Actively Exploited SharePoint Flaw Requires Immediate Patching
CISA has added CVE-2026-56164, an actively exploited Microsoft SharePoint Server vulnerability, to its Known Exploited Vulnerabilities catalog. The agency’s SharePoint security alert warns that attackers are targeting on-premises servers exposed to the internet.
The flaw allows an unauthenticated attacker to elevate privileges remotely without user interaction. Microsoft’s CVE-2026-56164 advisory assigns a CVSS score of 5.3 and a Moderate severity rating. The National Vulnerability Database independently scores the same vulnerability at 9.8.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The vulnerability affects SharePoint Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. SharePoint Online in Microsoft 365 is not listed as affected. Organizations should install the latest SharePoint security updates and investigate internet-facing systems for prior compromise.
What Is CVE-2026-56164?
CVE-2026-56164 is a missing-authentication vulnerability in a critical SharePoint function. It is classified under CWE-306, which describes security-sensitive functionality that does not properly require authentication.
An attacker needs network access but no SharePoint account. The published CVSS vector also indicates low attack complexity and no required user interaction.
Microsoft describes the direct result as elevation of privilege over a network. The company’s scoring records limited integrity impact and no direct confidentiality or availability impact from this vulnerability alone.
| Attribute | Details |
|---|---|
| CVE | CVE-2026-56164 |
| Weakness | Missing authentication for a critical function |
| Affected component | On-premises Microsoft SharePoint Server |
| Authentication required | No |
| User interaction required | No |
| Microsoft CVSS score | 5.3, Medium under CVSS and Moderate under Microsoft’s severity rating |
| NIST CVSS score | 9.8, Critical |
| Exploitation status | Actively exploited |
Why the Microsoft and NIST Scores Differ
The Microsoft assessment uses the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This produces a score of 5.3 because Microsoft records low integrity impact and no direct loss of confidentiality or availability.
NIST’s CVE analysis uses a different impact assessment, recording high confidentiality, integrity and availability impact. That produces a Critical score of 9.8.
The score difference should not delay remediation. Confirmed exploitation and the vulnerability’s role in broader SharePoint attack chains provide stronger evidence of urgency than either numerical score alone.
CISA Reports Broader SharePoint Attack Chains
CISA’s warning covers active exploitation involving CVE-2026-56164 and earlier SharePoint vulnerabilities CVE-2026-32201 and CVE-2026-45659. Attackers have used the combined weaknesses to reach internet-facing on-premises SharePoint environments.
According to the updated CISA SharePoint alert, observed post-exploitation activity has included remote code execution, IIS machine-key theft, malicious deserialization, persistence and malware deployment.
These broader outcomes should not be attributed solely to CVE-2026-56164. They reflect attackers combining multiple weaknesses and post-compromise techniques against exposed SharePoint servers.
- Initial unauthorized access to an on-premises SharePoint instance
- Remote execution through additional SharePoint vulnerabilities
- Access to IIS or ASP.NET machine keys
- Use of stolen keys to forge trusted requests
- Installation of web shells or other persistent malware
- Follow-on access to documents, credentials and connected systems
Affected and Fixed SharePoint Builds
The published affected-version data lists three on-premises SharePoint editions. Builds below the following thresholds are vulnerable to CVE-2026-56164.
| SharePoint edition | Affected builds | Required build level |
|---|---|---|
| SharePoint Enterprise Server 2016 | Earlier than 16.0.5561.1001 | 16.0.5561.1001 or later |
| SharePoint Server 2019 | Earlier than 16.0.10417.20175 | 16.0.10417.20175 or later |
| SharePoint Server Subscription Edition | Earlier than 16.0.19725.20434 | 16.0.19725.20434 or later |
Administrators should verify the installed build on every server in the SharePoint farm. A farm may remain exposed if one web front end, application server or other SharePoint component missed the update.
Installing SharePoint security updates can require additional configuration steps. Teams should complete the vendor’s documented installation process, run the appropriate SharePoint configuration workflow and verify that the farm reports the expected build.
CISA Set a Three-Day Federal Deadline
CISA added CVE-2026-56164 to the KEV catalog on July 14, 2026, with a remediation deadline of July 17. The KEV entry categorizes known ransomware use as unknown.
The deadline applies to U.S. Federal Civilian Executive Branch agencies under Binding Operational Directive 26-04. It does not create the same legal requirement for private organizations, state agencies or foreign entities.
CISA nevertheless recommends that all organizations use the KEV catalog when prioritizing vulnerability remediation. The three-day deadline signals an unusually urgent risk associated with active exploitation and public-facing SharePoint infrastructure.
Another SharePoint RCE Flaw Is Now Exploited
CISA updated its warning after adding CVE-2026-58644 to the KEV catalog on July 16. This separate SharePoint vulnerability involves deserialization of untrusted data and can allow an unauthenticated attacker to execute code remotely.
The CVE-2026-58644 record assigns a Critical CVSS score of 9.8. CISA set a federal remediation deadline of July 19, 2026.
| Vulnerability | Primary impact | KEV addition | Federal deadline |
|---|---|---|---|
| CVE-2026-56164 | Remote elevation of privilege through missing authentication | July 14, 2026 | July 17, 2026 |
| CVE-2026-58644 | Unauthenticated remote code execution through unsafe deserialization | July 16, 2026 | July 19, 2026 |
Organizations should therefore install the latest complete SharePoint security update rather than treating CVE-2026-56164 as an isolated patching task.
SharePoint 2016 and 2019 Reached End of Support
SharePoint Server 2016 and SharePoint Server 2019 reached end of support on July 14, 2026, according to Microsoft’s 2026 lifecycle schedule. The date coincided with the release of the final July security updates.
Organizations can still install the available updates, but unsupported deployments will not receive future security fixes. Continuing to expose SharePoint 2016 or 2019 creates an increasing risk as new vulnerabilities emerge.
Administrators should plan migration to SharePoint Server Subscription Edition or an appropriate supported cloud service. Migration does not remove the need to patch and investigate the current servers before moving data.
Immediate Actions for SharePoint Administrators
- Identify every on-premises SharePoint server and determine whether it is reachable from the internet.
- Install the latest Microsoft SharePoint security updates across the entire farm.
- Verify that every server meets or exceeds the fixed build for its edition.
- Follow BOD 26-04 risk-based guidance where it applies.
- Restrict external access to SharePoint and remove public access from Central Administration.
- Place required external services behind an authenticated Layer 7 reverse proxy or equivalent security control.
- Enable Antimalware Scan Interface integration for every SharePoint web application.
- Use Full Mode for Request Body Scan Mode where the environment supports it.
- Run current endpoint protection on every SharePoint server.
- Begin planning migration from products listed in Microsoft’s end-of-support schedule.
Threat Hunting Is Required Alongside Patching
Installing a patch prevents new exploitation of the corrected code but does not remove an attacker who already established persistence. Internet-facing SharePoint servers should receive forensic review even after the update is installed.
Security teams should preserve relevant logs and investigate anomalous web requests, unexpected SharePoint worker-process behavior, suspicious PowerShell activity, newly created files and unauthorized configuration changes.
- Review IIS access logs for unusual requests and abnormal response patterns.
- Check SharePoint and Windows event logs for unexpected administrative actions.
- Search web directories for newly created ASPX files and other possible web shells.
- Investigate unusual child processes launched by IIS or SharePoint worker processes.
- Review access to IIS and ASP.NET machine-key material.
- Look for unauthorized accounts, privilege changes and permission modifications.
- Examine scheduled tasks, services and startup locations for persistence.
- Review unusual outbound connections from SharePoint servers.
- Check endpoint protection for SharePoint-related exploit and backdoor detections.
Rotate Machine Keys Only After Investigating
CISA advises organizations to hunt for and remove intrusion artifacts before rotating IIS or ASP.NET machine keys. Rotating keys without removing the attacker’s access may allow the intruder to steal the new keys as well.
If compromise is confirmed, incident responders should isolate affected systems, preserve forensic evidence, remove persistence and determine which credentials, keys and connected services may have been exposed.
After containment and eradication, teams should rotate affected machine keys and credentials across the farm. They should also evaluate whether the attacker reached service accounts, databases, identity systems or other connected resources.
FAQ
CVE-2026-56164 is a missing-authentication vulnerability in on-premises Microsoft SharePoint Server. It allows an unauthenticated remote attacker to elevate privileges without user interaction.
Yes. Microsoft and CISA have confirmed active exploitation. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on July 14, 2026.
Microsoft assigns a CVSS score of 5.3 and a Moderate severity rating. NIST independently assigns a Critical score of 9.8 because it uses a different assessment of the potential impact.
The affected products are SharePoint Enterprise Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. SharePoint Online is not listed as affected.
CISA set July 17, 2026, as the deadline for covered federal agencies to remediate CVE-2026-56164. The agency set July 19 for the separate exploited SharePoint RCE flaw CVE-2026-58644.
No. Patching closes the vulnerability but does not remove web shells, stolen keys or other persistence created before the update. Exposed servers should also receive forensic investigation.
CISA advises investigating and removing intrusion artifacts before rotating IIS or ASP.NET machine keys. Otherwise, an attacker who remains on the server may steal the replacement keys.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages