CISA Urges Immediate Patching as Multiple SharePoint Server Vulnerabilities Confirmed Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that multiple vulnerabilities in Microsoft SharePoint Server are being actively exploited and is urging organizations to apply security updates without delay.
CISA highlighted four vulnerabilities for which exploitation has been confirmed: CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, and CVE-2026-58644. The last of these was added to the Known Exploited Vulnerabilities (KEV) catalog on July 16, 2026, prompting its inclusion in the advisory. In addition, Microsoft has warned that CVE-2026-55040, although not yet confirmed as exploited, poses a high risk if left unpatched.
Exploitation of these flaws can allow attackers to execute arbitrary code remotely. Consequences include theft of machine keys from Internet Information Services (IIS), creation of persistent access mechanisms, and deployment of malware within affected environments.
CISA emphasized that organizations running SharePoint Server should immediately install the latest patches released by Microsoft and verify that the updates have been applied successfully. In addition to patching, administrators must confirm that the Antimalware Scan Interface (AMSI) is enabled and actively monitor systems using Microsoft Defender Antivirus (MDAV) for any signs of exploitation or anomalous activity.
Any detection events generated by AMSI or MDAV should trigger the organization’s incident response plan. Recovery steps include removing malicious programs, restoring systems from a known-good state, and rotating cryptographic keys that may have been compromised.
CISA further recommended that, unless there is a compelling operational reason, SharePoint Server instances should not be exposed directly to the internet. Organizations should instead place servers behind a Layer 7 reverse proxy that provides authentication and validation, block external access to administrative interfaces, and strengthen log monitoring to detect potential attacks.