The Cybersecurity and Infrastructure Security Agency warned Tuesday that three vulnerabilities in on-premises versions of Microsoft SharePoint Server are being targeted for exploitation.
Hackers are taking advantage of the flaws to steal internet information service machine keys. They gain persistent unauthorized access through deserialization techniques before releasing malware.
An improper input validation vulnerability, tracked as CVE-2026-32201, was originally disclosed in April. It allows an attacker to perform spoofing over a network.
A remote code execution vulnerability, tracked as CVE-2026-45659, involves the deserialization of untrusted data. The flaw has a severity score of 8.8.
The third vulnerability, tracked as CVE-2026-56164, was disclosed on Tuesday. It allows an attacker to elevate privileges over a network.
Researchers at Rapid7 on Tuesday warned that a newly disclosed authentication bypass vulnerability, tracked as CVE-2026-55040, could enable remote code execution if chained together with a second flaw.
Rapid7 warned that a patch would not be issued until Microsoft’s August security update cycle.
Widespread risk
Because SharePoint is a widely used document and collaboration platform, the exploitation activity is being closely watched by security teams across government and other sectors.
“CIS is tracking the vulnerabilities and have issued an advisory to members providing an overview, a list of impacted systems and recommendations,” TJ Sayers, senior director of threat intelligence at the Center for Internet Security, told Cybersecurity Dive. “We see threat actors beginning exploitation of disclosed vulnerabilities, including ones deduced from vendor patch notes, within 24 to 72 hours of release.
CISA urged security teams to make sure Microsoft’s Antimalware Scan Interface is enabled for each SharePoint web application. Microsoft has provided guidance on how to integrate AMSI with SharePoint.
Security teams should rotate internet information services machine keys, but also check for any intrusion artifacts, including machine key harvesters, according to CISA.
Users should avoid exposing SharePoint directly to the internet and also block external access to SharePoint Central Administration, CISA said. CISA provided a link to a SharePoint hardening guide from Microsoft.