2 min read

CISA warns of 3 exploited SharePoint flaws

CISA says three SharePoint Server bugs are under active attack, while two more critical flaws are rated more likely to be exploited.

Image: The Register

CISA is urging organizations running on-premises SharePoint Server to tighten defenses after warning that three vulnerabilities are under active attack and two more critical flaws could soon add to the risk.

The alert applies to any supported version of SharePoint Server on-prem. CISA highlighted these three vulnerabilities as already exploited:

  • CVE-2026-32201 (6.5) — a spoofing flaw disclosed by Microsoft in March and confirmed by CISA as actively exploited in June
  • CVE-2026-45659 (8.8) — a remote code execution flaw made public in June and confirmed last week as being used in attacks, despite Microsoft previously saying exploitation was “less likely”
  • CVE-2026-56164 (5.3) — a privilege escalation bug included in this month’s record Patch Tuesday, which covered 622 bugs

CISA also flagged two additional critical SharePoint flaws from the latest Patch Tuesday: CVE-2026-55040 (9.1) and CVE-2026-58644 (9.8). Neither is being actively exploited so far, but Microsoft has labeled both “Exploitation More Likely.”

Recommended reading

AI won’t replace penetration testers just yet

According to CISA, the three exploited bugs are tied to post-exploitation activity, including theft of Internet Information Services (IIS) machine keys and the use of deserialization techniques to maintain persistence and deploy malware. The agency did not say what specifically prompted the new warning.

It did, however, point defenders to an August 2025 alert on SharePoint hardening against “ToolShell” attacks. In that advisory, CISA said attackers were chaining CVE-2025-49706 (6.5) and CVE-2025-49704 (8.8) to compromise SharePoint servers and, in some cases, deploy Warlock ransomware. CISA did not attribute either campaign, though Microsoft said in July 2025 that ToolShell flaws were being exploited by Chinese nation-state crews.

SharePoint hardening steps CISA recommends

CISA’s guidance includes:

  • applying Microsoft’s latest security patches
  • verifying that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application
  • threat hunting for signs of compromise before rotating IIS keys
  • avoiding exposing SharePoint to the internet unless necessary
  • blocking external access to SharePoint Central Administration
  • implementing robust, tailored logging to detect exploit activity

For organizations still running internet-exposed SharePoint, the warning is blunt: patch quickly, check for intrusion, and lock down what does not need to be reachable.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via The Register

// Keep reading