T

Threats

Microsoft SharePoint Multiple Vulnerabilities

Overview

CVE: CVE-2026-45659, CVE-2026-32201, CVE-2026-56164

Severity: High

Date: 16 July 2026


Microsoft has disclosed three vulnerabilities in on-premises SharePoint Server (Subscription Edition, 2019, and 2016) that are being actively exploited, including a high severity remote code execution flaw. Successful exploitation can lead to full server compromise, credential theft, and persistent access via stolen IIS machine keys. Organisations running on-premises SharePoint should patch immediately. SharePoint Online is not affected.


Affected Versions

  • Microsoft SharePoint Enterprise Server 2016: affected from 16.0.0, before 16.0.5548.1003

  • Microsoft SharePoint Server 2019: affected from 16.0.0, before 16.0.10417.20114

  • Microsoft SharePoint Server Subscription Edition: affected from 16.0.0, before 16.0.19725.20210


Vulnerability Breakdown

CVE-2026-45659 - Deserialisation of untrusted data leading to remote code execution

Severity: High

CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Description: SharePoint Server fails to properly validate untrusted data during deserialisation, allowing code execution over a network.

Impact: Full remote code execution on the SharePoint server, enabling persistence and further compromise.

Conditions: Valid authenticated access with at least Site Member permissions is required. No user interaction needed.

Notes: Actively exploited and added to CISA's Known Exploited Vulnerabilities catalog on 1 July 2026.


CVE-2026-32201 - Improper input validation leading to spoofing

Severity: Medium

CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Description: Improper input validation allows an unauthorised attacker to perform spoofing over a network.

Impact: Attackers can spoof legitimate SharePoint content or identities, undermining trust in served content.

Conditions: No authentication or user interaction required.

Notes: Added to CISA's KEV catalog on 14 April 2026.


CVE-2026-56164 - Missing authentication for critical function leading to elevation of privilege

Severity: Medium

CVSS: 5.3

Description: A critical SharePoint function is missing authentication checks, allowing an unauthorised attacker to elevate privileges over the network.

Impact: Attackers can gain elevated privileges without valid credentials, enabling further compromise of the SharePoint environment.

Conditions: No authentication or user interaction required.

Notes: Added to CISA's KEV catalog on 14 July 2026, exploited alongside the other two CVEs as part of coordinated post-exploitation activity involving IIS machine key theft.


Mitigation

  • Apply the latest Microsoft security updates for SharePoint Server immediately and shorten future patching cycles.

  • Enable Antimalware Scan Interface (AMSI) integration on every SharePoint web application, using Full Mode for Request Body Scan Mode where feasible.

  • Rotate IIS machine keys only after hunting for and removing any intrusion artefacts that could allow keys to be stolen again.

  • Establish tailored logging to detect anomalous requests, suspicious worker-process activity, webshells, and machine-key access.

  • Avoid exposing SharePoint Servers directly to the internet. Place them behind an authenticated Layer 7 reverse proxy where internet-facing access is required.

  • Block external access to SharePoint Central Administration and restrict farm and database communications to required systems only.


Summary for IT Teams

Products: Microsoft SharePoint Server 2016, 2019, and Subscription Edition (on-premises only, SharePoint Online is not affected)

Threat Level: High, CVSS 8.8 (highest of the three actively exploited CVEs)

Action Required: Patch all on-premises SharePoint Server instances immediately, rotate IIS machine keys after hunting for intrusion artefacts, enable AMSI in Full Mode, and restrict external exposure of SharePoint Central Administration.


Reference

CVE-2026-45659 Record

CVE-2026-32201 Record

CVE-2026-56164 Record

CISA Alert: CISA Urges SharePoint Hardening After New Exploitations


Need Help?

If your organisation needs assistance assessing or patching SharePoint Server, the Secure ISS SOC team is ready to help. Call 1300 769 460 or get in touch online.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.