CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities
CISA urges immediate patching of exploited SharePoint vulnerabilities, including zero-days.
Summary
CISA has issued an urgent warning for organizations to patch Microsoft SharePoint servers due to actively exploited vulnerabilities. Three critical flaws, including two zero-days, have been identified, allowing for remote code execution, privilege escalation, and bypassing security features. Federal agencies are mandated to patch CVE-2026-56164 within three days.
Full text
The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday urged immediate hardening of Microsoft SharePoint servers in light of recently disclosed zero-day vulnerabilities. The freshest of the exploited flaws is CVE-2026-56164, a privilege escalation issue that can be exploited remotely without authentication, and which was resolved with Microsoft’s July 2026 Patch Tuesday updates. On Tuesday, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within three days, in line with BOD 26-04 recommendations. Microsoft’s latest round of security updates also resolved CVE-2026-55040 and CVE-2026-58644, critical-severity SharePoint bugs that could be exploited remotely to bypass a security feature and to execute arbitrary code. Although not flagged as exploited, these vulnerabilities pose a risk to organizations if they are not patched in due time, CISA warns. The cybersecurity agency also draws attention to CVE-2026-32201, a spoofing issue in SharePoint patched in April after being exploited in attacks as a zero-day.Advertisement. Scroll to continue reading. Another exploited SharePoint flaw is CVE-2026-45659, a code execution issue patched in May via an out-of-band security update, which was added to CISA’s KEV list in early July. “These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware,” CISA warns. The agency recommends that organizations monitor their SharePoint servers to identify any signs of unusual activity, which could point to active exploitation. In addition to applying Microsoft’s patches, organizations are advised to ensure that their security products cover all SharePoint web applications, hunt for intrusions, rotate IIS machine keys, enable tailored logging, ensure that SharePoint servers are not directly exposed to the internet, and restrict access to the administration interfaces. Related: White House Launches AI-Driven ‘Gold Eagle’ Vulnerability Coordination Initiative Related: CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws Related: SonicWall Issues Urgent SMA Patch Warning for Two Zero-Day Exploits Related: US, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure Routers Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Critical Vulnerabilities Patched With Fresh Chrome 150, Firefox 152 UpdatesMicrosoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-DaysAdobe Patches Critical ColdFusion VulnerabilitiesSAP Patches Critical Vulnerabilities in NetWeaver, Approuter, Commerce CloudUS, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure RoutersMultiple Jscrambler Packages Impacted by Supply Chain AttackRabbitMQ Vulnerability Threatens Enterprise SystemsZimbra Patches Critical Code Execution Vulnerability Latest News Unpatched Cursor Vulnerability Exposes Users to Code ExecutionWindows Bind Link Attacks Can Hide Malware From EDR ToolsVirtual Event Today: Cloud & Data Security SummitUS Charges Russian Individuals and Firms for Running Cybercrime ServicesVulnerabilities Patched by Fortinet, Ivanti, ServiceNowWhite House Launches AI-Driven ‘Gold Eagle’ Vulnerability Coordination InitiativeProgress Confirms Zero-Day Vulnerability Behind ShareFile DisruptionICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Rockwell Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 15, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveN-able has appointed Russell Rosa as Chief Revenue Officer.Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.F5 has appointed Cathy Peterman as Chief People Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- cve — CVE-2026-56164
- cve — CVE-2026-55040
- cve — CVE-2026-58644
- cve — CVE-2026-32201
- cve — CVE-2026-45659