Updated
Updated · CISA · Jul 14
CISA Adds 3 SharePoint Flaws to KEV Catalog as Active Exploits Hit On-Prem Servers
Updated
Updated · CISA · Jul 14

CISA Adds 3 SharePoint Flaws to KEV Catalog as Active Exploits Hit On-Prem Servers

3 articles · Updated · CISA · Jul 14

Summary

  • Three SharePoint vulnerabilities—CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164—were added to CISA’s Known Exploited Vulnerabilities catalog after the agency confirmed active attacks on on-premises servers.
  • All supported on-premises SharePoint versions—Subscription Edition, 2019 and 2016—are affected, with attackers using the flaws for remote code execution, stealing IIS machine keys and maintaining persistence to deploy malware.
  • CISA urged organizations to apply Microsoft’s latest patches, verify AMSI is enabled in Full Mode where feasible, and use AMSI and Microsoft Defender detections to identify compromise and trigger incident response.
  • The agency also advised hardening exposed SharePoint systems by hunting for intrusion artifacts before rotating IIS keys, tightening logging and telemetry, and avoiding direct internet exposure unless protected by an authenticated Layer 7 proxy.
  • The three CVEs were entered into the KEV catalog on April 14, July 1 and July 14, 2026, and CISA said it may update guidance as Microsoft and others release more information.

Insights

Is the constant rush to patch SharePoint a sign its security model is fundamentally broken for modern threats?
Does CISA's new mandate force a dangerous choice between investigating an attack and patching the entry point?

Over 10,000 SharePoint Servers at Risk: CISA Issues Urgent Directive on Actively Exploited CVE-2026-45659 RCE Vulnerability

Overview

In July 2026, CISA issued a critical directive after confirming active exploitation of a high-severity vulnerability in Microsoft SharePoint Server (CVE-2026-45659). This vulnerability was quickly added to CISA’s Known Exploited Vulnerabilities catalog, highlighting a major discrepancy with Microsoft’s earlier assessment that exploitation was less likely. Before CISA’s warning, there were no public reports of attacks, showing CISA’s key role in alerting organizations to new threats based on its intelligence. The agency’s swift action underscores the urgent need for immediate remediation, as delays could leave systems exposed to serious cyber risks.

...