CISA warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises Microsoft SharePoint Server instances to bypass authentication, execute code remotely, and steal IIS machine keys for persistence. The agency also highlighted additional SharePoint flaws that were patched by Microsoft, urging immediate patching, hardened configurations, and monitoring to protect affected servers. #CISA #MicrosoftSharePoint #SharePointServer #CVE-2026-32201 #CVE-2026-45659 #CVE-2026-56164
Keypoints
- CISA said three SharePoint Server vulnerabilities are being actively exploited.
- The flaws affect all supported self-hosted SharePoint Server versions, including Subscription Edition.
- Attackers can bypass authentication, achieve remote code execution, and steal IIS machine keys.
- Microsoft patched two additional SharePoint vulnerabilities that may attract attackers.
- CISA urged patching, AMSI and Defender use, tighter logging, and reduced Internet exposure.