CISA Warns of Active SharePoint Exploits, Urges Immediate Hardening

1 min read
Source: CISA (.gov)
TL;DR Summary

CISA warns of active exploitation of three on-premises SharePoint vulnerabilities (CVE-2026-32201, CVE-2026-45659, CVE-2026-56164) that enable remote code execution and post-exploitation activity such as stealing IIS machine keys; two additional CVEs (CVE-2026-55040 and CVE-2026-58644) are also identified as potential risks if not patched. To mitigate, organizations should apply the latest Microsoft patches, verify installation completion, and shorten patching cycles where possible; ensure AMSI integration is enabled for all SharePoint web apps and follow Microsoft guidance for AMSI configuration. Use the provided AMSI and MDAV detections as part of incident response and hardening: hunt for intrusion artifacts before rotating IIS keys, implement enhanced logging and telemetry to detect anomalies, and limit internet exposure by placing SharePoint behind a Layer 7 proxy and restricting Central Administration access. Review Microsoft’s security guidance and report incidents to CISA as needed. These CVEs have been added to the Known Exploited Vulnerabilities (KEV) catalog.

Share this article

Reading Insights

Total Reads

1

Unique Readers

1

Time Saved

2 min

vs 4 min read

Condensed

76%

624147 words

Want the full story? Read the original article

Read on CISA (.gov)