The Cybersecurity and Infrastructure Security Agency (CISA) on July 14 put organizations on notice that three Microsoft SharePoint Server bugs were actively exploited in the wild, one since April.In its advisory, CISA shared that attackers aim to steal Internet Information Services (IIS) machine keys and perform deserialization techniques to gain persistence and deploy malware.All three of the bugs — CVE-2026-32201 (April 14), CVE-2026-45659 (July 1), and CVE-2026-56164 (July 14) — have been added to CISA’s known exploited vulnerabilities (KEV) catalog. The bug from yesterday NIST rated at CVSS 9.8.“Teams should treat this as an incident-response priority, not a routine patching task,” said Douglas McKee, director of vulnerability intelligence at Rapid 7. “CISA’s KEV designation means there’s evidence of active exploitation.”McKee added that SharePoint often contains sensitive internal documents and connects closely with Active Directory and other business systems, so a compromised server can become a starting point for lateral movement across the environment.“The April patch date does not make this old news,” said McKee. “It means organizations that missed that update may have carried an exploitable gap for months. For the latest flaw [from yesterday], federal agencies were given only until July 17 to remediate. That three-day window tells teams how seriously CISA views the current activity.”Louis Eichenbaum, Federal CTO at ColorTokens, explained that SharePoint has become far more than a document repository: it’s often an organization's institutional memory. Eichenbaum said over time, users naturally upload engineering documentation, HR records, financial reports, legal contracts, security procedures, architecture diagrams, and other sensitive information into a single location because it is convenient for collaboration.“When an attacker gains authenticated access and the ability to execute code on a SharePoint server, they're not just compromising a file server they're gaining access to a roadmap of how the organization operates,” said Eichenbaum. “That information can dramatically accelerate reconnaissance, privilege escalation, and subsequent attacks.”Eichenbaum said the best defense isn't just rapid patching, it also includes applying least-privilege access, continuously reviewing permissions, classifying sensitive data, segmenting critical systems, and assuming that if a collaboration platform becomes compromised, an attacker will immediately begin searching for information that enables lateral movement.“Organizations should ask themselves: if SharePoint were compromised tomorrow, what sensitive information could an attacker use to reach our most critical assets?” said Eichenbaum.Roman Sannikov, global research coordinator, iCounter, added that what's notable here isn't any single CVE: it's the three-month spread between when the first flaw landed on KEV and when the last one did. Sannikov said that kind of staggered timeline usually means attackers found a working entry point early and kept probing the same product for ways to extend or re-establish access as defenders started responding.“The machine key theft piece is what I'd focus defenders on,” said Sannikov. “Stealing an IIS machine key means an attacker can keep forging valid authentication even after the vulnerability that let them in gets patched. If a team patches the RCE today, but never rotates keys that may have already been stolen back in April, they've locked the front door and left a set of keys sitting in the attacker's pocket. Any organization running SharePoint since spring should assume compromise is possible and rotate credentials as part of remediation, not treat patching alone as the finish line."
Vulnerability Management
CISA warns that three SharePoint Server bugs are actively exploited

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



