Risk Management

CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities

Three vulnerabilities are actively exploited in attacks, including two that have been targeted as zero-days.

SharePoint vulnerability exploited

The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday urged immediate hardening of Microsoft SharePoint servers in light of recently disclosed zero-day vulnerabilities.

The freshest of the exploited flaws is CVE-2026-56164, a privilege escalation issue that can be exploited remotely without authentication, and which was resolved with Microsoft’s July 2026 Patch Tuesday updates.

On Tuesday, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within three days, in line with BOD 26-04 recommendations.

Microsoft’s latest round of security updates also resolved CVE-2026-55040 and CVE-2026-58644, critical-severity SharePoint bugs that could be exploited remotely to bypass a security feature and to execute arbitrary code.

Although not flagged as exploited, these vulnerabilities pose a risk to organizations if they are not patched in due time, CISA warns.

The cybersecurity agency also draws attention to CVE-2026-32201, a spoofing issue in SharePoint patched in April after being exploited in attacks as a zero-day.

Advertisement. Scroll to continue reading.

Another exploited SharePoint flaw is CVE-2026-45659, a code execution issue patched in May via an out-of-band security update, which was added to CISA’s KEV list in early July.

“These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware,” CISA warns.

The agency recommends that organizations monitor their SharePoint servers to identify any signs of unusual activity, which could point to active exploitation.

In addition to applying Microsoft’s patches, organizations are advised to ensure that their security products cover all SharePoint web applications, hunt for intrusions, rotate IIS machine keys, enable tailored logging, ensure that SharePoint servers are not directly exposed to the internet, and restrict access to the administration interfaces.

Related: White House Launches AI-Driven ‘Gold Eagle’ Vulnerability Coordination Initiative

Related: CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws

Related: SonicWall Issues Urgent SMA Patch Warning for Two Zero-Day Exploits

Related: US, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure Routers

Related Content

Vulnerabilities

SonicWall SMA1000 zero-day vulnerabilities CVE-2026-15409 and CVE-2026-15410 can be exploited for remote code execution.

Vulnerabilities

Two flaws in Active Directory and SharePoint Server have been exploited as zero-days, and a BitLocker bug was publicly disclosed.

Vulnerabilities

Threat actors have been targeting Balbooa Forms and iCagenda Joomla extension flaws for remote code execution.

Vulnerabilities

Two newly disclosed critical vulnerabilities in Adobe ColdFusion and Langflow join two Joomla extension flaws in CISA's Known Exploited Vulnerabilities catalog, with federal agencies...

Vulnerabilities

CISA says threat actors are exploiting a recently patched SharePoint remote code execution vulnerability (CVE-2026-45659).

Ransomware

The Microsoft Defender vulnerability CVE-2026-33825 was exploited in the wild as a zero-day before patches were released.

Vulnerabilities

The critical-severity defect allows unauthenticated attackers to take over the E-Business Suite’s Payments product.

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version