
CISA warns attackers are exploiting on-premises SharePoint Server flaws
CISA says attackers are exploiting on-premises Microsoft SharePoint Server flaws and urges rapid patching, hunting and hardening.
The U.S. Cybersecurity and Infrastructure Security Agency has warned organizations running self-hosted Microsoft SharePoint Server that attackers are actively exploiting three vulnerabilities, including the newly cataloged CVE-2026-56164. The alert focuses on on-premises deployments, not SharePoint Online, and pushes administrators to treat internet-facing servers as a priority patching and hunting problem rather than a routine monthly update.
CISA's July 14 advisory says the exploited flaws can let threat actors bypass authentication, reach remote code execution paths and continue post-exploitation activity. BleepingComputer, citing the same advisory, reported that the activity includes theft of Internet Information Services machine keys, a persistence risk because those keys can help attackers maintain access even after superficial cleanup. The agency also added CVE-2026-56164 to its Known Exploited Vulnerabilities catalog, setting a July 17 deadline for federal civilian agencies to apply required mitigations or discontinue affected systems if fixes cannot be applied.
Why it matters
SharePoint Server remains embedded in document workflows for governments, universities and large enterprises, which makes exposed systems attractive targets when a reliable exploit chain appears. NIST's National Vulnerability Database entry for CVE-2026-56164 describes the issue as missing authentication for a critical function in Microsoft Office SharePoint, allowing an unauthorized attacker to elevate privileges over a network. NVD lists affected configurations for SharePoint Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition, and records Microsoft as the CVE source.
The immediate response is narrower than simply installing the latest cumulative update. CISA recommends verifying that patches actually installed, shortening patch cycles, enabling Antimalware Scan Interface integration for SharePoint web applications and using Microsoft Defender Antivirus detections where available. It also advises defenders to hunt for intrusion artifacts before rotating IIS machine keys, because rotating keys too early can obscure evidence while leaving other footholds intact.
- Patch supported SharePoint Server builds and confirm the fixed versions are present.
- Review internet exposure and block public access to Central Administration.
- Place required external access behind application-layer controls such as a Layer 7 reverse proxy.
- Collect logs and investigate suspicious activity before completing key rotation or rebuilds.
The warning is another reminder that collaboration servers with public exposure need the same urgency as edge security appliances. For organizations that cannot quickly patch or isolate affected SharePoint farms, CISA's guidance is blunt: remove them from service until mitigations are available.
Sources
Cover photo by panumas nikhomkhai on Pexels, used under the Pexels License.
CyberOGZ Team






Comments (0)
Leave a Comment