defense · BleepingComputer
CISA warned that attackers are actively exploiting three vulnerabilities in on-premises SharePoint Server instances. The flaws (CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164) affect all supported self-hosted SharePoint Server versions and allow attackers to bypass authentication, achieve remote code execution, steal IIS machine keys, and establish persistence for malware deployment. Shadowserver estimates nearly 10,000 Internet-exposed SharePoint servers exist, with over 800 unpatched against at least two of the vulnerabilities. CISA also identified two additional vulnerabilities (CVE-2026-55040 and CVE-2026-58644) patched on Patch Tuesday that pose future risk. Federal agencies must remediate CVE-2026-56164 by July 17 or discontinue affected systems under Binding Operational Directive 26-04.
Defense contractors and other organizations handling sensitive data on SharePoint infrastructure should prioritize immediate patching and verify successful deployment across all instances. Entities subject to CMMC, SOC2, or NIST 800-171 requirements should treat these active exploits as a compliance risk: unpatched SharePoint systems can undermine network segmentation and access controls required by these frameworks. Organizations should also implement CISA's hardening recommendations—including AMSI integration, reverse proxy deployment, and network segmentation—to reduce exposure while patching timelines are executed. An Omniware engagement can help assess your SharePoint footprint, prioritize remediation, and validate controls alignment with your regulatory obligations.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/cisa-warns-admins-to-patch-actively-exploited-sharepoint-flaws/
Source: BleepingComputer
All briefings