Skip to content
feed: live
>_ 0dayNews
microsoft
● Breaking

CISA: three SharePoint bugs exploited, patch by July 17

CISA named three actively exploited on-prem SharePoint CVEs and put a July 17 remediation clock on federal agencies. Shadowserver counts 800+ unpatched servers. Patch on one maintenance touch.

CISA: three SharePoint bugs exploited, patch by July 17
Photo: panumas nikhomkhai / Pexels · Pexels License
fuse Marisol "Fuse" Delgado · Published · 3 min read

CISA on Tuesday named three actively exploited on-premises SharePoint Server vulnerabilities and started a July 17 remediation clock for federal civilian agencies under BOD 26-04. If your farm is Internet-exposed and unpatched, you have two days on the federal clock — and no defensible reason to wait longer than that on the private side either.

Shadowserver’s telemetry tracks roughly 10,000 on-prem SharePoint servers reachable from the public Internet and more than 800 of them unpatched against at least two of the three CVEs CISA is calling out. That’s the pool being scanned right now, not a theoretical population.

The three CVEs

  • CVE-2026-56164 — SharePoint elevation of privilege via missing authentication for a critical function, CVSS 5.3. Patched in yesterday’s July 2026 Patch Tuesday and added to KEV the same day. Microsoft notes that enabling AMSI plus Request Body Scan is a mitigation; the patch is what actually closes it. The MSRC advisory is the authoritative reference on affected builds.
  • CVE-2026-45659 — deserialization RCE, CVSS 8.8, patched in the May 2026 SharePoint update. Added to KEV on July 2 after confirmed in-the-wild exploitation. If you skipped the May patch, this rides the same maintenance touch as CVE-2026-56164 — no reason to split them into two outages.
  • CVE-2026-32201 — spoofing via improper input validation, CVSS 6.5, patched in the April 2026 SharePoint update. Been on KEV since 2026-04-14. The fact that CISA is naming it again next to two fresh bugs three months later tells you the honest state of the on-prem SharePoint fleet.

The attack pattern CISA describes on the advisory is authentication bypass into RCE, followed by theft of IIS machine keys and deployment of persistence for follow-on malware. The machine-key theft is the one to sit up for: once an attacker has your SharePoint IIS machine keys, patching the entry-point CVEs does not evict them. They can forge trusted __VIEWSTATE payloads at will from anywhere on the Internet, and the server treats those requests as legitimate.

Also in this maintenance touch

While you’re already taking the outage, patch CVE-2026-55040 too — the SharePoint JWT authentication bypass Rapid7 disclosed on Monday. Microsoft shipped the fix in the same July 2026 update and it lives on the same servers. Splitting SharePoint patches across two maintenance windows this week is doing yourself twice the work for no benefit.

The honest timeline

  • 2026-04-14 — CVE-2026-32201 added to CISA KEV
  • 2026-07-02 — CVE-2026-45659 added to KEV
  • 2026-07-14 — CVE-2026-56164 added to KEV, same day as Microsoft’s patch and Rapid7’s separate CVE-2026-55040 disclosure
  • 2026-07-15 — CISA publishes named advisory grouping the three
  • 2026-07-17 — BOD 26-04 remediation deadline for federal civilian agencies

Priority order

  1. Patch all three CVEs on the same touch. Subscription Edition, Server 2019, and Enterprise 2016 all have fixes on the standard cadence. Confirm the build number against Microsoft’s advisory pages, not just “the July update went out.”
  2. If your farm was Internet-exposed and unpatched, assume compromise — don’t just patch. Rotate the IIS machineKey values (validationKey and decryptionKey), review sign-in logs for anomalous authentication, and look for web shells in the SharePoint LAYOUTS directory and any writable content database locations. CISA’s advisory calls the machine-key theft out specifically.
  3. Include CVE-2026-55040 in the same maintenance window. No reason to take two outages this week.
  4. Verify Microsoft’s post-patch hardening baseline. CISA points at the SharePoint Server security-hardening guidance on Microsoft Learn. If AMSI wasn’t enabled before, enable it now.

The federal clock is two days. Your private-sector clock is however long you can defend to your incident-response retainer if the machine keys walk. Pick your maintenance window accordingly.

Related CVEs
  • [ MEDIUM ] CVE-2026-32201 SharePoint Server spoofing via improper input validation
  • [ HIGH ] CVE-2026-45659 Microsoft SharePoint Server deserialization remote code execution
  • [ MEDIUM ] CVE-2026-56164 SharePoint Server elevation of privilege — missing authentication for critical function

Found this useful? Share it.