The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that cybercriminals are actively exploiting three critical vulnerabilities affecting Microsoft SharePoint Server. According to the agency, attackers are targeting internet-exposed on-premises SharePoint servers to gain unauthorized access, execute remote code, and deploy malware on compromised systems.
CISA said the actively exploited vulnerabilities are tracked as CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. The flaws affect all supported self-hosted Microsoft SharePoint Server versions, including SharePoint Server Subscription Edition, Microsoft’s latest on-premises release.
According to the advisory, attackers can exploit these vulnerabilities to bypass authentication, execute arbitrary code on vulnerable servers, and conduct post-exploitation activities, including stealing Internet Information Services (IIS) machine keys. The attackers may also establish persistence on compromised systems, allowing them to deploy malware and maintain long-term access to affected environments.
In addition, two other SharePoint Server vulnerabilities—CVE-2026-55040 and CVE-2026-58644—have recently been patched by Microsoft. Although there is currently no evidence that these flaws are being exploited in real-world attacks, security experts consider them attractive targets for future exploitation.
Available data indicates that nearly 10,000 Microsoft SharePoint Server instances are currently exposed to the internet. More than 800 of these servers remain unpatched against at least two of the vulnerabilities that are already being actively exploited, leaving a significant number of organizations vulnerable to cyberattacks.
CISA has urged organizations to closely monitor affected SharePoint servers for signs of compromise, immediately deploy Microsoft’s latest security updates, and verify that patches have been successfully installed. The agency also recommends shortening patch management cycles and enabling Windows Antimalware Scan Interface (AMSI) integration for SharePoint web applications.
The advisory further recommends using Microsoft Defender Antivirus to detect and remediate potential compromises. Organizations are also advised to investigate and remove any indicators of intrusion before rotating IIS machine keys, implement enhanced logging, and continuously monitor systems for suspicious or abnormal activity.
Security experts also recommend avoiding direct internet exposure of SharePoint servers whenever possible. External access to SharePoint Central Administration should be blocked, while communication between SharePoint servers and backend databases should be restricted to authorized systems only. Where internet exposure is unavoidable, servers should be protected behind a Layer 7 reverse proxy or similar application-layer security controls.
Renowned cybercrime expert and former IPS officer Prof. Triveni Singh said that enterprise servers exposed directly to the internet remain a constant target for cybercriminals, and newly disclosed vulnerabilities are often exploited within hours of becoming public. He emphasized that organizations should go beyond simply installing security patches by implementing regular vulnerability assessments, threat hunting, continuous security monitoring, and robust incident response mechanisms to identify attacks early and minimize their impact.
