CISA sounds alarm over trio of exploited SharePoint flaws

Jul 15, 2026 - 19:14
0 0
CISA sounds alarm over trio of exploited SharePoint flaws

Security

Three bugs are under active attack, and two more critical holes could add to the pain

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged all organizations running SharePoint to harden their defenses after the disclosure of actively exploited vulnerabilities.

The warning applies to those running any supported version of SharePoint Server on-prem, with three vulnerabilities of particular interest cited.

A spoofing bug, CVE-2026-32201 (6.5), was the first to be mentioned. Microsoft disclosed it in March and CISA confirmed it was being actively exploited in June.

Additionally, CISA appears concerned by CVE-2026-45659 (8.8) – a remote code execution (RCE) flaw made public in June and confirmed as being actively used in attacks last week after Microsoft said exploitation was "less likely."

The most recent of the three, CVE-2026-56164 (5.3), a privilege escalation flaw, was one of the 622 bugs that featured in this month's record Patch Tuesday.

CISA also picked out two more critical bugs, both from the latest Patch Tuesday, as ones that could potentially complicate SharePoint security further. Neither CVE-2026-55040 (9.1) nor CVE-2026-58644 (9.8) is being actively exploited to date, although Microsoft has attached the "Exploitation More Likely" label to both.

CISA said the three exploited vulnerabilities are associated with post-exploitation activity, including the theft of Internet Information Services (IIS) machine keys and deserialization techniques, both in an effort to gain persistence and deploy malware.

The agency did not offer any more detail about what led it to issue the warning, but went on to encourage defenders to review an alert it published in August 2025, which similarly urged organizations to harden SharePoint from "ToolShell" attacks.

CISA said attackers were chaining together CVE-2025-49706 (6.5) and CVE-2025-49704 (8.8) to break into SharePoint Servers and, in some cases, deploy Warlock ransomware.

It did not go as far as attributing the activity referenced in either SharePoint advisory to any group or country, although Microsoft said as far back as July 2025 that ToolShell vulnerabilities were being exploited by Chinese nation-state crews.

Applying Microsoft's latest security patches and verifying that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application are among the recommended hardening measures.

CISA also advised defenders to go threat hunting for signs of intrusion before rotating IIS keys to avoid exposing SharePoint to the web unless it's necessary and block external access to SharePoint Central Administration.

As is the case with any potential intrusion, CISA encouraged organizations to implement robust, tailored logging that can detect potential exploits. ®

What's Your Reaction?

Like Like 0
Dislike Dislike 0
Love Love 0
Funny Funny 0
Wow Wow 0
Sad Sad 0
Angry Angry 0

Comments (0)

User