NG Solution Team
Cybersecurity

Is CISA warning about three actively exploited SharePoint vulnerabilities?

CISA warns three Microsoft SharePoint Server vulnerabilities are being actively exploited

The Cybersecurity and Infrastructure Security Agency (CISA) warned on July 14 that three vulnerabilities affecting Microsoft SharePoint Server are being actively exploited — one of which was first identified in April. The flaws — CVE-2026-32201 (disclosed April 14), CVE-2026-45659 (July 1) and CVE-2026-56164 (July 14) — have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. The most recent vulnerability carries a NIST-assigned CVSS score of 9.8.

What CISA’s alert says
CISA’s advisory notes ongoing exploitation and classifies these vulnerabilities as incident-response priorities. Inclusion in the KEV list indicates, according to the agency, evidence of active exploitation. For the newest CVE, federal agencies were given a very short remediation window — until July 17 — underscoring CISA’s assessment of high risk.

Observed attack techniques
Observed attacker behavior includes theft of IIS machine keys and abuse of deserialization vulnerabilities to establish persistence and deploy malware. Theft of IIS machine keys is especially worrying because, unless those keys are replaced, attackers can forge valid authentications and regain access even after a security patch is applied.

Why SharePoint is a high-value target
SharePoint often holds an organization’s institutional memory — technical documentation, HR records, finance data, contracts, security procedures and architecture diagrams — and is frequently integrated with Active Directory and other business systems. Douglas McKee, Director of Vulnerability Research at Rapid7, warns that compromising a SharePoint server can provide a springboard for broad lateral movement across an environment.

Attack timeline and adversary strategy
That the three CVEs were disclosed and added to the KEV list over a three-month span suggests, according to Roman Sannikov of iCounter, that attackers may have used an initial entry point and then maintained or extended access over time as defenders responded. This “progression” approach means patching alone can be insufficient if compromised artifacts — such as IIS keys — remain in place.

Recommended actions for IT teams
Security experts emphasize treating these flaws as emergency incident-response priorities rather than routine maintenance. In addition to immediate patching, recommended actions include:
– Assume prior compromise and initiate a full incident response;
– Replace/rotate IIS machine keys and any other secrets that may have been stolen;
– Apply least-privilege principles and continuously review permissions;
– Classify sensitive data and segment critical systems to limit lateral movement.

As Louis Eichenbaum of ColorTokens puts it: don’t stop at a quick patch — assume an attacker who reached SharePoint will immediately seek information to escalate and propagate.

Bottom line
Teams responsible for SharePoint need a two-fold approach: rapidly remediate the CISA-identified vulnerabilities and verify whether stolen artifacts still provide persistent access. Without both steps, deploying a patch alone risks leaving footholds that let attackers return.

Related posts

Lakelands Public Health reveals scope of data breach — 60,000 affected

James Smith

How Does ThreatCluster Reduce Security Alert Noise with Its New Platform?

Jessica Williams

Why were Akron Public Schools closed due to a cybersecurity breach?

Michael Johnson

This website uses cookies to improve your experience. We assume you agree, but you can opt out if you wish. Accept More Info

Privacy & Cookies Policy