T
Threats
Microsoft SharePoint Multiple Vulnerabilities
Overview
CVE: CVE-2026-45659, CVE-2026-32201, CVE-2026-56164
Severity: High
Date: 16 July 2026
Microsoft has disclosed three vulnerabilities in on-premises SharePoint Server (Subscription Edition, 2019, and 2016) that are being actively exploited, including a high severity remote code execution flaw. Successful exploitation can lead to full server compromise, credential theft, and persistent access via stolen IIS machine keys. Organisations running on-premises SharePoint should patch immediately. SharePoint Online is not affected.
Affected Versions
Microsoft SharePoint Enterprise Server 2016: affected from 16.0.0, before 16.0.5548.1003
Microsoft SharePoint Server 2019: affected from 16.0.0, before 16.0.10417.20114
Microsoft SharePoint Server Subscription Edition: affected from 16.0.0, before 16.0.19725.20210
Vulnerability Breakdown
CVE-2026-45659 - Deserialisation of untrusted data leading to remote code execution
Severity: High
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Description: SharePoint Server fails to properly validate untrusted data during deserialisation, allowing code execution over a network.
Impact: Full remote code execution on the SharePoint server, enabling persistence and further compromise.
Conditions: Valid authenticated access with at least Site Member permissions is required. No user interaction needed.
Notes: Actively exploited and added to CISA's Known Exploited Vulnerabilities catalog on 1 July 2026.
CVE-2026-32201 - Improper input validation leading to spoofing
Severity: Medium
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Description: Improper input validation allows an unauthorised attacker to perform spoofing over a network.
Impact: Attackers can spoof legitimate SharePoint content or identities, undermining trust in served content.
Conditions: No authentication or user interaction required.
Notes: Added to CISA's KEV catalog on 14 April 2026.
CVE-2026-56164 - Missing authentication for critical function leading to elevation of privilege
Severity: Medium
CVSS: 5.3
Description: A critical SharePoint function is missing authentication checks, allowing an unauthorised attacker to elevate privileges over the network.
Impact: Attackers can gain elevated privileges without valid credentials, enabling further compromise of the SharePoint environment.
Conditions: No authentication or user interaction required.
Notes: Added to CISA's KEV catalog on 14 July 2026, exploited alongside the other two CVEs as part of coordinated post-exploitation activity involving IIS machine key theft.
Mitigation
Apply the latest Microsoft security updates for SharePoint Server immediately and shorten future patching cycles.
Enable Antimalware Scan Interface (AMSI) integration on every SharePoint web application, using Full Mode for Request Body Scan Mode where feasible.
Rotate IIS machine keys only after hunting for and removing any intrusion artefacts that could allow keys to be stolen again.
Establish tailored logging to detect anomalous requests, suspicious worker-process activity, webshells, and machine-key access.
Avoid exposing SharePoint Servers directly to the internet. Place them behind an authenticated Layer 7 reverse proxy where internet-facing access is required.
Block external access to SharePoint Central Administration and restrict farm and database communications to required systems only.
Summary for IT Teams
Products: Microsoft SharePoint Server 2016, 2019, and Subscription Edition (on-premises only, SharePoint Online is not affected)
Threat Level: High, CVSS 8.8 (highest of the three actively exploited CVEs)
Action Required: Patch all on-premises SharePoint Server instances immediately, rotate IIS machine keys after hunting for intrusion artefacts, enable AMSI in Full Mode, and restrict external exposure of SharePoint Central Administration.
Reference
CISA Alert: CISA Urges SharePoint Hardening After New Exploitations
Need Help?
If your organisation needs assistance assessing or patching SharePoint Server, the Secure ISS SOC team is ready to help. Call 1300 769 460 or get in touch online.

