[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fl8pXVJiA814TLxKIURdwKS8BDyuEq6uHpoPjUDIV0yM":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":35},"7a7e5c3d-b81b-4ecc-8bce-d70cbfe5694e","CISA Urges SharePoint Hardening After New Exploitations","cisa-urges-sharepoint-hardening-after-new-exploitations-3839c4","CISA is aware of active exploitation of vulnerabilities CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, enabling cyber threat actors to gain unauthorized access to on-premises SharePoint Server instances. These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware. Organizations should monitor affected SharePoint Servers closely for any signs of exploitation or unusual activity. Additionally, the following newly disclosed CVEs are not yet known to have been exploited, but Microsoft has identified them as posing a potential risk if left unpatched: CVE-2026-55040 CVE-2026-58644 CISA urges organizations to detect and remediate a potential compromise by implementing the following recommendations: Apply the latest patches and security updates from Microsoft, verify that installation completes successfully, and shorten patching cycles when possible. Verify that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application. Follow Microsoft’s Configure AMSI integration with SharePoint Server guidance to ensure proper configuration and select the “Full Mode” option for the Request Body Scan Mode, where feasible. When compromise is expected, use the following AMSI and Microsoft Defender Antivirus (MDAV) detections, and implement your organization’s incident response plan for any positive detections: AMSI: Exploit:Script\u002FSuspSignoutReqBody.A – request body scanning; SharePoint Server Subscription only; Microsoft has blocked observed attempts. AMSI: Exploit:Script\u002FToolPaneAuthBypass.A – request header scanning; SharePoint Server 2016, 2019, and Subscription Edition. AMSI: Exploit:Script\u002FToolPaneAuthBypass.C – RCE coverage; SharePoint Server 2016, 2019, and Subscription Edition. MDAV: Backdoor:MSIL\u002FLeakFang.A!dha – post-exploitation activity alert involving IIS-protected secrets. In addition, CISA recommends that organizations implement the following SharePoint Server hardening measures: Before rotating IIS machine keys, hunt for and remediate any intrusion artifacts, including machine-key harvesters, that could allow for the keys to be stolen again. Review Microsoft’s Improved ASP.NET view state security and key management for best practices. Establish tailored logging mechanisms to detect and monitor exploitation activities. Review telemetry for anomalous requests, suspicious SharePoint worker-process activity, webshells, and machine-key access. For more information, see CISA’s Best Practices for Event Logging and Threat Detection. Avoid exposing SharePoint Servers directly to the internet unless necessary; and if necessary, only configure a SharePoint Server behind a Layer 7 reverse proxy or equivalent application-layer security control that requires authentication and can inspect and filter requests. Block external access to SharePoint Central Administration, restrict farm and database communications to required systems, and review Microsoft’s SharePoint Server security-hardening guidance for role-specific ports, services, and Web.config settings. CISA urges users and administrators to review the Alert UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities and apply necessary updates. CISA added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-32201 on April 14, 2026; CVE-2026-45659 on July 1, 2026; and CVE-2026-56164 on July 14, 2026. Note: CISA may update this Alert to reflect new guidance issued by CISA or other parties. Organizations should report incidents or anomalous activity to CISA via CISA’s 24\u002F7 Operations Center at contact@cisa.dhs.gov or 1-844-Say-CISA (1-844-729-2472). Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. Acknowledgements Microsoft contributed to this Alert.","CISA has issued a warning regarding the active exploitation of several vulnerabilities in on-premises SharePoint Server versions, allowing threat actors to gain unauthorized access, execute remote code, and deploy malware. The agency urges organizations to apply the latest Microsoft patches, enable AMSI integration, and implement hardening measures to detect and remediate potential compromises. Several of these vulnerabilities have been added to CISA's Known Exploited Vulnerabilities catalog.","CISA warns of active exploitation of SharePoint vulnerabilities, urging immediate patching and hardening.","Alert CISA Urges SharePoint Hardening After New Exploitations Release DateJuly 14, 2026 CISA is aware of active exploitation of vulnerabilities CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, enabling cyber threat actors to gain unauthorized access to on-premises SharePoint Server instances. These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware. Organizations should monitor affected SharePoint Servers closely for any signs of exploitation or unusual activity. Additionally, the following newly disclosed CVEs are not yet known to have been exploited, but Microsoft has identified them as posing a potential risk if left unpatched: CVE-2026-55040 CVE-2026-58644 CISA urges organizations to detect and remediate a potential compromise by implementing the following recommendations: Apply the latest patches and security updates from Microsoft, verify that installation completes successfully, and shorten patching cycles when possible. Verify that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application. Follow Microsoft’s Configure AMSI integration with SharePoint Server guidance to ensure proper configuration and select the “Full Mode” option for the Request Body Scan Mode, where feasible. When compromise is expected, use the following AMSI and Microsoft Defender Antivirus (MDAV) detections, and implement your organization’s incident response plan for any positive detections: AMSI: Exploit:Script\u002FSuspSignoutReqBody.A – request body scanning; SharePoint Server Subscription only; Microsoft has blocked observed attempts. AMSI: Exploit:Script\u002FToolPaneAuthBypass.A – request header scanning; SharePoint Server 2016, 2019, and Subscription Edition. AMSI: Exploit:Script\u002FToolPaneAuthBypass.C – RCE coverage; SharePoint Server 2016, 2019, and Subscription Edition. MDAV: Backdoor:MSIL\u002FLeakFang.A!dha – post-exploitation activity alert involving IIS-protected secrets. In addition, CISA recommends that organizations implement the following SharePoint Server hardening measures: Before rotating IIS machine keys, hunt for and remediate any intrusion artifacts, including machine-key harvesters, that could allow for the keys to be stolen again. Review Microsoft’s Improved ASP.NET view state security and key management for best practices. Establish tailored logging mechanisms to detect and monitor exploitation activities. Review telemetry for anomalous requests, suspicious SharePoint worker-process activity, webshells, and machine-key access. For more information, see CISA’s Best Practices for Event Logging and Threat Detection. Avoid exposing SharePoint Servers directly to the internet unless necessary; and if necessary, only configure a SharePoint Server behind a Layer 7 reverse proxy or equivalent application-layer security control that requires authentication and can inspect and filter requests. Block external access to SharePoint Central Administration, restrict farm and database communications to required systems, and review Microsoft’s SharePoint Server security-hardening guidance for role-specific ports, services, and Web.config settings. CISA urges users and administrators to review the Alert UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities and apply necessary updates. CISA added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-32201 on April 14, 2026; CVE-2026-45659 on July 1, 2026; and CVE-2026-56164 on July 14, 2026. Note: CISA may update this Alert to reflect new guidance issued by CISA or other parties. Organizations should report incidents or anomalous activity to CISA via CISA’s 24\u002F7 Operations Center at contact@cisa.dhs.gov or 1-844-Say-CISA (1-844-729-2472). Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. Acknowledgements Microsoft contributed to this Alert. This product is provided subject to this Notification and this Privacy & Use policy. Please share your thoughts We recently updated our anonymous product survey; we welcome your feedback.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2026\u002F07\u002F14\u002Fcisa-urges-sharepoint-hardening-after-new-exploitations",null,"2026-07-14T12:00:00+00:00","2026-07-14T20:00:29.42312+00:00",9,[18,21,24,26,29],{"name":19,"type":20},"SharePoint Server","product",{"name":22,"type":23},"Microsoft","vendor",{"name":25,"type":20},"Internet Information Services (IIS)",{"name":27,"type":28},"AMSI","technology",{"name":30,"type":20},"Microsoft Defender Antivirus (MDAV)","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":31,"icon":13,"name":33,"slug":34},"Vulnerabilities","vulnerabilities",[36,41,43,48],{"category":37},{"id":38,"icon":13,"name":39,"slug":40},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":42},{"id":31,"icon":13,"name":33,"slug":34},{"category":44},{"id":45,"icon":13,"name":46,"slug":47},"c5eccf7c-abbc-4bd3-bbed-e6da5cba8e73","Incident Response","incident-response",{"category":49},{"id":50,"icon":13,"name":51,"slug":52},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[54,58,60,62,65,67,71,74,77],{"type":55,"value":56,"context":57},"cve","CVE-2026-32201","Actively exploited vulnerability in SharePoint Server.",{"type":55,"value":59,"context":57},"CVE-2026-45659",{"type":55,"value":61,"context":57},"CVE-2026-56164",{"type":55,"value":63,"context":64},"CVE-2026-55040","Potentially risky vulnerability in SharePoint Server.",{"type":55,"value":66,"context":64},"CVE-2026-58644",{"type":68,"value":69,"context":70},"malware","Backdoor:MSIL\u002FLeakFang.A!dha","Microsoft Defender Antivirus detection for post-exploitation activity.",{"type":68,"value":72,"context":73},"Exploit:Script\u002FSuspSignoutReqBody.A","AMSI detection for request body scanning.",{"type":68,"value":75,"context":76},"Exploit:Script\u002FToolPaneAuthBypass.A","AMSI detection for request header scanning.",{"type":68,"value":78,"context":79},"Exploit:Script\u002FToolPaneAuthBypass.C","AMSI detection for RCE coverage."]