Key Takeaways
CISA Confirms SharePoint Flaw is Under Active Attack

- Three SharePoint Server vulnerabilities are being actively exploited, with two more critical flaws flagged as high risk
- Microsoft initially rated one RCE flaw as 'exploitation less likely' before CISA confirmed active attacks
- Attackers are stealing IIS machine keys and using deserialization techniques to deploy malware and gain persistence
CISA has issued an urgent warning about three SharePoint Server vulnerabilities under active exploitation, urging organizations to patch immediately and harden their defenses. The advisory covers all supported versions of on-premises SharePoint Server and highlights attackers using the flaws to steal credentials, deploy malware, and establish persistent access to enterprise networks.
The warning carries extra weight because Microsoft initially misjudged one of the flaws. CVE-2026-45659, a remote code execution vulnerability with a CVSS score of 8.8, was labeled "exploitation less likely" when Microsoft disclosed it in June. CISA added it to the Known Exploited Vulnerabilities catalog last week after confirming active attacks.
Which SharePoint vulnerabilities are being exploited?
The three actively exploited flaws span different attack vectors. CVE-2026-32201 is a spoofing bug with a 6.5 severity rating, disclosed by Microsoft in March and confirmed exploited by June. The RCE flaw, CVE-2026-45659 (8.8), lets attackers execute arbitrary code remotely. CVE-2026-56164 is a privilege escalation vulnerability (5.3) that appeared in this month's Patch Tuesday, which addressed a record 622 bugs.
CISA also flagged two additional critical vulnerabilities from the same Patch Tuesday as high risk. Neither CVE-2026-55040 (9.1) nor CVE-2026-58644 (9.8) has been exploited yet, but Microsoft tagged both as "Exploitation More Likely." A 9.8 CVSS score is near the maximum severity, typically indicating remote exploitation with no authentication required.
What are attackers doing with these exploits?
The three exploited vulnerabilities are tied to post-exploitation activity focused on persistence and malware deployment. CISA specifically mentioned attackers stealing Internet Information Services (IIS) machine keys, which are used to encrypt and sign authentication tokens. With those keys, attackers can forge valid tokens and maintain access even after passwords change.
Deserialization attacks are the other technique CISA highlighted. When applications deserialize untrusted data, attackers can inject malicious objects that execute code during the process. SharePoint's complexity and deep integration with Active Directory make it an ideal target for this approach.
CISA did not name specific threat actors, but the agency pointed organizations to an August 2025 alert about "ToolShell" attacks. In those campaigns, attackers chained CVE-2025-49706 and CVE-2025-49704 to compromise SharePoint Servers and, in some cases, deploy Warlock ransomware. Microsoft attributed ToolShell exploitation to Chinese nation-state groups as far back as July 2025.
How should IT teams respond?
CISA's recommendations start with the obvious: apply Microsoft's latest security patches. But the agency pushed further, advising organizations to verify that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application. AMSI allows security tools to scan scripts and other potentially malicious content at runtime.
The agency also recommended threat hunting for signs of intrusion before rotating IIS keys. Rotating keys without first checking for compromise could lock out legitimate users while attackers retain access through other means. Organizations should block external access to SharePoint Central Administration entirely and avoid exposing SharePoint to the web unless strictly necessary.
Logging came up as a final emphasis. CISA encouraged "robust, tailored logging" capable of detecting exploitation attempts. For SharePoint, that means enabling Unified Logging Service (ULS) logs, IIS logs, and Windows Security event logs, then forwarding them to a SIEM for correlation.
Why SharePoint remains a prime target
SharePoint Server runs in an estimated 200,000+ organizations worldwide. It stores sensitive documents, manages workflows, and integrates tightly with Active Directory, making it a high-value target for both ransomware operators and nation-state actors. Compromising SharePoint often grants access to an organization's most critical data and a foothold for lateral movement.
This is not SharePoint's first appearance in CISA's KEV catalog. Previous flaws like CVE-2023-29357 and CVE-2019-0604 were similarly weaponized in the wild, sometimes enabling major breaches. The pattern suggests that organizations running on-premises SharePoint need to treat it as critical infrastructure, not just another collaboration tool.
Logicity's Take
Microsoft's initial "exploitation less likely" assessment for CVE-2026-45659 is a reminder that vendor severity ratings are starting points, not final verdicts. Organizations with on-premises SharePoint should consider accelerating migration to SharePoint Online, where Microsoft handles patching. For those who must stay on-prem, network segmentation and zero-trust architecture reduce blast radius when the next flaw surfaces. Security teams should also evaluate dedicated SharePoint security tools from vendors like Varonis or AvePoint, which offer deeper visibility than native logging.
Frequently Asked Questions
Does this affect SharePoint Online?
CISA's warning specifically targets on-premises SharePoint Server. SharePoint Online in Microsoft 365 is patched by Microsoft directly, though organizations should still monitor for suspicious activity.
How quickly do I need to patch?
CISA typically requires federal agencies to patch KEV-listed vulnerabilities within 72 hours for emergency mitigations. Private organizations should aim for the same urgency given confirmed active exploitation.
Can web application firewalls block these attacks?
WAFs can provide some protection against exploitation attempts, but they are not a substitute for patching. Attackers often find ways to bypass WAF rules, especially for complex deserialization attacks.
What is the connection to Chinese threat actors?
Microsoft attributed earlier ToolShell attacks on SharePoint to Chinese nation-state groups in July 2025. CISA did not attribute the current exploitation to any specific actor.
Another example of a vulnerability where vendor severity assessments differed from real-world risk
Need Help Implementing This?
Logicity can connect you with vetted cybersecurity consultants who specialize in Microsoft 365 and SharePoint Server hardening. Contact us for recommendations tailored to your infrastructure.
Source: www.theregister.com
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.






