CISA Warns Actively Exploited SharePoint Flaw Requires Immediate Patching


CISA has added CVE-2026-56164, an actively exploited Microsoft SharePoint Server vulnerability, to its Known Exploited Vulnerabilities catalog. The agency’s SharePoint security alert warns that attackers are targeting on-premises servers exposed to the internet.

The flaw allows an unauthenticated attacker to elevate privileges remotely without user interaction. Microsoft’s CVE-2026-56164 advisory assigns a CVSS score of 5.3 and a Moderate severity rating. The National Vulnerability Database independently scores the same vulnerability at 9.8.

The vulnerability affects SharePoint Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. SharePoint Online in Microsoft 365 is not listed as affected. Organizations should install the latest SharePoint security updates and investigate internet-facing systems for prior compromise.

What Is CVE-2026-56164?

CVE-2026-56164 is a missing-authentication vulnerability in a critical SharePoint function. It is classified under CWE-306, which describes security-sensitive functionality that does not properly require authentication.

An attacker needs network access but no SharePoint account. The published CVSS vector also indicates low attack complexity and no required user interaction.

Microsoft describes the direct result as elevation of privilege over a network. The company’s scoring records limited integrity impact and no direct confidentiality or availability impact from this vulnerability alone.

AttributeDetails
CVECVE-2026-56164
WeaknessMissing authentication for a critical function
Affected componentOn-premises Microsoft SharePoint Server
Authentication requiredNo
User interaction requiredNo
Microsoft CVSS score5.3, Medium under CVSS and Moderate under Microsoft’s severity rating
NIST CVSS score9.8, Critical
Exploitation statusActively exploited

Why the Microsoft and NIST Scores Differ

The Microsoft assessment uses the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This produces a score of 5.3 because Microsoft records low integrity impact and no direct loss of confidentiality or availability.

NIST’s CVE analysis uses a different impact assessment, recording high confidentiality, integrity and availability impact. That produces a Critical score of 9.8.

The score difference should not delay remediation. Confirmed exploitation and the vulnerability’s role in broader SharePoint attack chains provide stronger evidence of urgency than either numerical score alone.

CISA Reports Broader SharePoint Attack Chains

CISA’s warning covers active exploitation involving CVE-2026-56164 and earlier SharePoint vulnerabilities CVE-2026-32201 and CVE-2026-45659. Attackers have used the combined weaknesses to reach internet-facing on-premises SharePoint environments.

According to the updated CISA SharePoint alert, observed post-exploitation activity has included remote code execution, IIS machine-key theft, malicious deserialization, persistence and malware deployment.

These broader outcomes should not be attributed solely to CVE-2026-56164. They reflect attackers combining multiple weaknesses and post-compromise techniques against exposed SharePoint servers.

  • Initial unauthorized access to an on-premises SharePoint instance
  • Remote execution through additional SharePoint vulnerabilities
  • Access to IIS or ASP.NET machine keys
  • Use of stolen keys to forge trusted requests
  • Installation of web shells or other persistent malware
  • Follow-on access to documents, credentials and connected systems

Affected and Fixed SharePoint Builds

The published affected-version data lists three on-premises SharePoint editions. Builds below the following thresholds are vulnerable to CVE-2026-56164.

SharePoint editionAffected buildsRequired build level
SharePoint Enterprise Server 2016Earlier than 16.0.5561.100116.0.5561.1001 or later
SharePoint Server 2019Earlier than 16.0.10417.2017516.0.10417.20175 or later
SharePoint Server Subscription EditionEarlier than 16.0.19725.2043416.0.19725.20434 or later

Administrators should verify the installed build on every server in the SharePoint farm. A farm may remain exposed if one web front end, application server or other SharePoint component missed the update.

Installing SharePoint security updates can require additional configuration steps. Teams should complete the vendor’s documented installation process, run the appropriate SharePoint configuration workflow and verify that the farm reports the expected build.

CISA Set a Three-Day Federal Deadline

CISA added CVE-2026-56164 to the KEV catalog on July 14, 2026, with a remediation deadline of July 17. The KEV entry categorizes known ransomware use as unknown.

The deadline applies to U.S. Federal Civilian Executive Branch agencies under Binding Operational Directive 26-04. It does not create the same legal requirement for private organizations, state agencies or foreign entities.

CISA nevertheless recommends that all organizations use the KEV catalog when prioritizing vulnerability remediation. The three-day deadline signals an unusually urgent risk associated with active exploitation and public-facing SharePoint infrastructure.

Another SharePoint RCE Flaw Is Now Exploited

CISA updated its warning after adding CVE-2026-58644 to the KEV catalog on July 16. This separate SharePoint vulnerability involves deserialization of untrusted data and can allow an unauthenticated attacker to execute code remotely.

The CVE-2026-58644 record assigns a Critical CVSS score of 9.8. CISA set a federal remediation deadline of July 19, 2026.

VulnerabilityPrimary impactKEV additionFederal deadline
CVE-2026-56164Remote elevation of privilege through missing authenticationJuly 14, 2026July 17, 2026
CVE-2026-58644Unauthenticated remote code execution through unsafe deserializationJuly 16, 2026July 19, 2026

Organizations should therefore install the latest complete SharePoint security update rather than treating CVE-2026-56164 as an isolated patching task.

SharePoint 2016 and 2019 Reached End of Support

SharePoint Server 2016 and SharePoint Server 2019 reached end of support on July 14, 2026, according to Microsoft’s 2026 lifecycle schedule. The date coincided with the release of the final July security updates.

Organizations can still install the available updates, but unsupported deployments will not receive future security fixes. Continuing to expose SharePoint 2016 or 2019 creates an increasing risk as new vulnerabilities emerge.

Administrators should plan migration to SharePoint Server Subscription Edition or an appropriate supported cloud service. Migration does not remove the need to patch and investigate the current servers before moving data.

Immediate Actions for SharePoint Administrators

  1. Identify every on-premises SharePoint server and determine whether it is reachable from the internet.
  2. Install the latest Microsoft SharePoint security updates across the entire farm.
  3. Verify that every server meets or exceeds the fixed build for its edition.
  4. Follow BOD 26-04 risk-based guidance where it applies.
  5. Restrict external access to SharePoint and remove public access from Central Administration.
  6. Place required external services behind an authenticated Layer 7 reverse proxy or equivalent security control.
  7. Enable Antimalware Scan Interface integration for every SharePoint web application.
  8. Use Full Mode for Request Body Scan Mode where the environment supports it.
  9. Run current endpoint protection on every SharePoint server.
  10. Begin planning migration from products listed in Microsoft’s end-of-support schedule.

Threat Hunting Is Required Alongside Patching

Installing a patch prevents new exploitation of the corrected code but does not remove an attacker who already established persistence. Internet-facing SharePoint servers should receive forensic review even after the update is installed.

Security teams should preserve relevant logs and investigate anomalous web requests, unexpected SharePoint worker-process behavior, suspicious PowerShell activity, newly created files and unauthorized configuration changes.

  • Review IIS access logs for unusual requests and abnormal response patterns.
  • Check SharePoint and Windows event logs for unexpected administrative actions.
  • Search web directories for newly created ASPX files and other possible web shells.
  • Investigate unusual child processes launched by IIS or SharePoint worker processes.
  • Review access to IIS and ASP.NET machine-key material.
  • Look for unauthorized accounts, privilege changes and permission modifications.
  • Examine scheduled tasks, services and startup locations for persistence.
  • Review unusual outbound connections from SharePoint servers.
  • Check endpoint protection for SharePoint-related exploit and backdoor detections.

Rotate Machine Keys Only After Investigating

CISA advises organizations to hunt for and remove intrusion artifacts before rotating IIS or ASP.NET machine keys. Rotating keys without removing the attacker’s access may allow the intruder to steal the new keys as well.

If compromise is confirmed, incident responders should isolate affected systems, preserve forensic evidence, remove persistence and determine which credentials, keys and connected services may have been exposed.

After containment and eradication, teams should rotate affected machine keys and credentials across the farm. They should also evaluate whether the attacker reached service accounts, databases, identity systems or other connected resources.

FAQ

What is CVE-2026-56164?

CVE-2026-56164 is a missing-authentication vulnerability in on-premises Microsoft SharePoint Server. It allows an unauthenticated remote attacker to elevate privileges without user interaction.

Is CVE-2026-56164 being actively exploited?

Yes. Microsoft and CISA have confirmed active exploitation. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on July 14, 2026.

What is the CVSS score for CVE-2026-56164?

Microsoft assigns a CVSS score of 5.3 and a Moderate severity rating. NIST independently assigns a Critical score of 9.8 because it uses a different assessment of the potential impact.

Which SharePoint versions are affected?

The affected products are SharePoint Enterprise Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. SharePoint Online is not listed as affected.

What was CISA’s remediation deadline?

CISA set July 17, 2026, as the deadline for covered federal agencies to remediate CVE-2026-56164. The agency set July 19 for the separate exploited SharePoint RCE flaw CVE-2026-58644.

Does installing the SharePoint patch remove an existing attacker?

No. Patching closes the vulnerability but does not remove web shells, stolen keys or other persistence created before the update. Exposed servers should also receive forensic investigation.

Should SharePoint machine keys be rotated immediately?

CISA advises investigating and removing intrusion artifacts before rotating IIS or ASP.NET machine keys. Otherwise, an attacker who remains on the server may steal the replacement keys.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages