The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning to secure Microsoft SharePoint servers following the disclosure of critical zero-day vulnerabilities. These vulnerabilities pose significant risks if left unpatched.
Critical Vulnerabilities Discovered
Among the recently exposed issues is CVE-2026-56164, a privilege escalation flaw that can be exploited remotely without user authentication. This vulnerability was addressed with the latest Microsoft Patch Tuesday updates in July 2026. CISA has swiftly added this flaw to its Known Exploited Vulnerabilities (KEV) list, compelling federal agencies to implement patches within three days as per BOD 26-04 directives.
Additionally, Microsoft has resolved other critical SharePoint vulnerabilities, including CVE-2026-55040 and CVE-2026-58644. While not currently exploited, these flaws could be utilized to bypass security measures and execute arbitrary code remotely, emphasizing the importance of timely patching.
Potential Risks and Recommendations
CISA highlights the dangers of leaving these vulnerabilities unpatched, which could lead to severe security breaches. The agency has also noted a spoofing vulnerability, CVE-2026-32201, that was patched earlier in April after being used in active attacks. Another significant threat, CVE-2026-45659, involves code execution and was resolved in May with an out-of-band update.
These vulnerabilities affect all supported on-premises SharePoint Server versions, allowing attackers to perform remote code execution and persist by stealing machine keys and employing deserialization techniques. Organizations are advised to monitor for any unusual server activities that might indicate exploitation attempts.
Actionable Security Measures
To mitigate these threats, CISA recommends organizations promptly apply Microsoft’s security patches. In addition, they should ensure comprehensive security coverage for all SharePoint applications, actively hunt for potential intrusions, rotate IIS machine keys, enable customized logging, and prevent direct internet exposure of SharePoint servers. Restricting access to administrative interfaces is also advised.
By adhering to these guidelines, organizations can significantly reduce the risk of exploitation and maintain robust cybersecurity defenses.
Related: White House Launches AI-Driven ‘Gold Eagle’ Vulnerability Coordination Initiative
Related: CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws
Related: SonicWall Issues Urgent SMA Patch Warning for Two Zero-Day Exploits
Related: US, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure Routers
