SharePoint CVEs FAQ: CVE-2026-56164, CVE-2026-32201, CVE-2026-45659
Four Microsoft SharePoint Server vulnerabilities are under active exploitation, prompting CISA to issue a hardening alert. An additional high-severity flaw recently patched adds pressure for organizations running on-premises deployments.
Key Takeaways
- CISA confirmed active exploitation of three on-premises SharePoint Server vulnerabilities (CVE-2026-32201, CVE-2026-45659, CVE-2026-56164), used to gain unauthorized access, establish remote code execution, steal IIS machine keys and deploy malware for persistence.
- Two additional SharePoint Server vulnerabilities disclosed on July 14, 2026, CVE-2026-55040 and CVE-2026-58644, were not yet observed exploited at the time of publication, but Microsoft has flagged CVE-2026-58644 as exploited on July 15.
- Microsoft released patches for all five vulnerabilities and Microsoft Defender Antivirus detection signatures are available to identify exploitation activity for three of the actively exploited flaws.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding active exploitation of Microsoft SharePoint Server vulnerabilities.
FAQ
When did CISA issue an alert about SharePoint Server exploitation?
On July 14, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an alert confirming active exploitation of three on-premises SharePoint Server vulnerabilities: CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. The alert noted that these flaws had been used to gain unauthorized access to SharePoint deployments across all supported on-premises versions and flagged two additional high-risk vulnerabilities, CVE-2026-55040 and CVE-2026-58644, as not yet exploited but warranting immediate patching. However in an update to the security advisory on July 15, Microsoft confirmed CVE-2026-58644 has been exploited in the wild.
What vulnerabilities are covered in this alert?
Five Microsoft SharePoint Server vulnerabilities are covered in CISA’s alert: Four with confirmed active exploitation and one newly disclosed high-severity flaw that Microsoft assesses as “Exploitation More Likely” according to Microsoft’s Exploitability Index. All five affect all supported on-premises SharePoint Server versions: Subscription Edition, 2019, and 2016.
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2026-32201 | Microsoft SharePoint Server Spoofing Vulnerability | 6.5 | 7.2 |
| CVE-2026-45659 | Microsoft SharePoint Remote Code Execution Vulnerability | 8.8 | 9.4 |
| CVE-2026-56164 | Microsoft SharePoint Server Elevation of Privilege Vulnerability | 9.8 – NVD5.3 – Microsoft | 9.5 |
| CVE-2026-55040 | Microsoft SharePoint Server Security Feature Bypass Vulnerability | 9.1 | 7.3 |
| CVE-2026-58644 | Microsoft SharePoint Server Remote Code Execution Vulnerability | 9.8 | 7.9 |
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was updated published on July 16 and reflects VPR at that time.
What do the actively exploited vulnerabilities do?
CVE-2026-32201 is a spoofing flaw rooted in improper input validation. An unauthenticated remote attacker can exploit it over a network without user interaction.
CVE-2026-45659 is a remote code execution (RCE) vulnerability involving deserialization of untrusted data. An authenticated attacker can exploit this flaw in order to execute code on an affected SharePoint server.
CVE-2026-56164 is an elevation of privilege vulnerability. An unauthenticated attacker can exploit it remotely to elevate privileges on a SharePoint Server.
CVE-2026-58644 is a RCE vulnerability that can be abused by an authenticated attacker with at least Site Owner permissions. Successful exploitation would allow the attacker to achieve code execution by exploiting a deserialization of untrusted data flaw.
What post-exploitation activity has been observed?
According to CISA, attackers have combined CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164 to gain entry to on-premises SharePoint Server instances, then pursued several post-exploitation objectives: extracting IIS machine keys, leveraging deserialization techniques to establish persistence, and deploying malware. CISA notes that stolen machine keys can be used to forge requests enabling further exploitation of the server. The advisory notes that key rotation alone is not a complete remediation step, without first removing any key-harvesting artifacts.
What is CVE-2026-55040, the vulnerability that has not yet been exploited?
CVE-2026-55040 is a security feature bypass rooted in weak authentication. It was assigned a CVSSv3 score of 9.1 and rated as critical. An unauthenticated attacker can exploit it over the network, without user interaction allowing the attacker to impact both confidentiality and integrity.
Both CVE-2026-55040 and CVE-2026-58644 were disclosed on July 14, 2026, as part of Microsoft’s July 2026 Patch Tuesday release. As of July 16, 2026, CVE-2026-55040 has not been observed being exploited in the wild.
What is the history of exploitation for Microsoft SharePoint Server?
Microsoft SharePoint Server has been a recurring target for threat actors across multiple years. CISA’s Known Exploited Vulnerabilities (KEV) catalog contains 12 SharePoint-related entries, including seven currently known to be used in ransomware campaigns. The table below outlines prior SharePoint CVEs added to the KEV catalog.
Which threat actors are exploiting these SharePoint vulnerabilities?
As of July 16, 2026, neither CISA nor Microsoft has attributed the active exploitation of CVE-2026-32201, CVE-2026-45659, CVE-2026-56164 or CVE-2026-58644 to specific threat actors or groups.
Is there a proof-of-concept available for any of these vulnerabilities?
As of July 16, 2026, no public proofs-of-concept are available for any of the five vulnerabilities covered in this FAQ.
Are patches and mitigations available?
Microsoft released patches for all five vulnerabilities. The table below lists the fixed build numbers for each affected SharePoint version.
| CVE | SharePoint Enterprise Server 2016 | SharePoint Server 2019 | SharePoint Server Subscription Edition |
|---|---|---|---|
| CVE-2026-32201 | 16.0.5548.1003 | 16.0.10417.20114 | 16.0.19725.20210 |
| CVE-2026-45659 | 16.0.5552.1002 | 16.0.10417.20128 | 16.0.19725.20280 |
| CVE-2026-56164 | 16.0.5561.1001 | 16.0.10417.20175 | 16.0.19725.20434 |
| CVE-2026-55040 | 16.0.5561.1001 | 16.0.10417.20175 | 16.0.19725.20434 |
| CVE-2026-58644 | 16.0.5556.1005 | 16.0.10417.20153 | 16.0.19725.20384 |
The CISA advisory and several of the Microsoft security advisories recommend enabling AMSI integration on SharePoint and IIS worker processes and setting the Request Body Scan mode to Full to allow detection of malicious POST payloads. CISA’s hardening guidance also advises against direct internet exposure of SharePoint Servers and recommends restricting external access to SharePoint Central Administration.
Are there indicators of compromise?
Yes. CISA and Microsoft have published AMSI and Microsoft Defender Antivirus detection signatures for the three actively exploited vulnerabilities.
| Signature | Type | Scope |
|---|---|---|
| Exploit:Script/SuspSignoutReqBody.A | AMSI | Request body scanning; SharePoint Server Subscription Edition only; Microsoft reports active exploitation attempts have been blocked |
| Exploit:Script/ToolPaneAuthBypass.A | AMSI | Request header scanning; SharePoint Server 2016, 2019, and Subscription Edition |
| Exploit:Script/ToolPaneAuthBypass.C | AMSI | RCE coverage; SharePoint Server 2016, 2019, and Subscription Edition |
| Backdoor:MSIL/LeakFang.A!dha | MDAV | Post-exploitation activity; IIS machine key access |
CISA recommends reviewing telemetry for anomalous requests, suspicious SharePoint worker-process activity, webshells and machine-key access activity.
Has Tenable Research classified these vulnerabilities as part of Vulnerability Watch?
Yes. Tenable Research has classified CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164 and CVE-2026-58644 as part of Vulnerability Watch. The designation applies to flaws with confirmed in-the-wild exploitation and the potential for widespread impact across affected organizations. We are actively tracking developments related to this activity and will update this post as new information becomes available.
Has Tenable released product coverage for these vulnerabilities?
A list of Tenable plugins can be found on the individual CVE pages:
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Additionally, Tenable Attack Surface Management customers can identify external-facing assets by leveraging the built-in subscription labeled Microsoft Sharepoint Server – v1.

Get more information
Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.