CISA Warns of Active SharePoint Exploits, Urges Immediate Hardening
CISA warns of active exploitation of three on-premises SharePoint vulnerabilities (CVE-2026-32201, CVE-2026-45659, CVE-2026-56164) that enable remote code execution and post-exploitation activity such as stealing IIS machine keys; two additional CVEs (CVE-2026-55040 and CVE-2026-58644) are also identified as potential risks if not patched. To mitigate, organizations should apply the latest Microsoft patches, verify installation completion, and shorten patching cycles where possible; ensure AMSI integration is enabled for all SharePoint web apps and follow Microsoft guidance for AMSI configuration. Use the provided AMSI and MDAV detections as part of incident response and hardening: hunt for intrusion artifacts before rotating IIS keys, implement enhanced logging and telemetry to detect anomalies, and limit internet exposure by placing SharePoint behind a Layer 7 proxy and restricting Central Administration access. Review Microsoft’s security guidance and report incidents to CISA as needed. These CVEs have been added to the Known Exploited Vulnerabilities (KEV) catalog.
Reading Insights
1
1
2 min
vs 4 min read
76%
624 → 147 words
Want the full story? Read the original article
Read on CISA (.gov)