Find notable cyber news and cases, enriched with sources, timelines, and signals.
Vulnerability Exploitation Wave Public Sector Action Security Patch Release

Active SharePoint exploitation around CVE-2026-56164 drives patching and federal response

Updated 15.07.2026 12:44
Case score 86
Case score 86 Members 4 Latest activity 15.07.2026 12:44
Active exploitation KEV: CISA KEV Patch available CVSS: 9.9 Critical
Members 4 First seen 14.07.2026 23:25 Last seen 15.07.2026 12:44 Updated 15.07.2026 12:44

Overview

Active exploitation of **on-premises SharePoint Server** has moved beyond a single zero-day notice into a broader intrusion story involving **CVE-2026-56164** alongside exploited SharePoint flaws **CVE-2026-32201** and **CVE-2026-45659**. Available reporting ties the activity to internet-exposed servers, follow-on compromise behavior such as **IIS machine key** theft and persistence, and a large exposed population that still leaves patching urgency high. Microsoft has issued fixes and recommends **AMSI in Full Mode** where immediate patching is not possible. U.S. federal agencies now face a **July 17** deadline to secure or discontinue affected SharePoint systems, while key unknowns remain around the actor, exact exploitation method for **CVE-2026-56164**, and confirmed victim count.

Signals

12 derived
Impact signals
Exploitation
Exploitation Active exploitation CVSS 9.9 Critical
Affected impact
Affected service
CVEs/products
CVE CVE CVE
Victims/regions
Victim region United States
Remediation
Urgency Immediate KEV CISA KEV Remediation Patch available
Status
Policy stage Enforced
Threat context
Actor Microsoft

Malware context

0 families · 3 tools
Tools
bitskrieg ToolShell YellowKey

Member happenings

4 related
Vulnerability SharePoint Server unauthenticated privilege escalation flaw actively exploited (CVE-2026-56164)
Updated 14.07.2026 23:25 Lead Contribution 82
Exploitation Active Exploitation Data Type Passwords CVSS 9.9 Critical Patch Patch Available

**CVE-2026-56164** is an **actively exploited** **SharePoint Server** vulnerability that lets an unauthenticated attacker **escalate privileges over the network**. The flaw puts **on-premises SharePoint Server** deployments at immediate risk, especially where the service is exposed to remote access. Microsoft has already identified it as a fix-first issue for July 2026.

Exploitation Wave Microsoft SharePoint Server actively exploited multi-CVE wave
Updated 15.07.2026 12:44 Scoring Support Contribution 1
Exploitation Active Exploitation Patch Patch Available

Attackers are actively exploiting **three SharePoint Server vulnerabilities** against **Internet-exposed on-premises instances**, creating widespread risk of **authentication bypass**, **remote code execution**, and **malware deployment**. The wave affects **all supported self-hosted SharePoint Server versions** and spans nearly **10,000 exposed servers**, including more than **800 unpatched** against two of the CVEs.

Public Sector Action CISA BOD 26-04 SharePoint remediation deadline
Updated 15.07.2026 12:44 Context
Policy Stage Enforced Patch Patch Available

**CISA** gave federal agencies until **July 17** to secure or discontinue **SharePoint servers** affected by **CVE-2026-56164**, turning the remediation deadline into a mandatory federal action for exposed systems. The agency had already added **CVE-2026-32201**, **CVE-2026-45659**, and **CVE-2026-56164** to the **Known Exploited Vulnerabilities Catalog** on **April 14**, **July 1**, and **July 14**. Agencies that cannot apply mitigations must **discontinue** the affected servers under **BOD 26-04**.

Security Patch Release Microsoft security patch release for CVE-2026-56164
Updated 14.07.2026 23:25 Context
Exploitation Active Exploitation CVSS 9.9 Critical Urgency Immediate Patch Patch Available

Microsoft released a **record 622-CVE Patch Tuesday** that includes **two exploited flaws** in **SharePoint Server** and **Active Directory Federation Services**, raising urgency for identity and collaboration systems. The top-priority fixes are **CVE-2026-56164** and **CVE-2026-56155**, both elevation-of-privilege bugs already being used in attacks. Microsoft also bundled additional updates across **Windows**, **Office**, **Edge**, **Azure**, **Defender**, and developer tools. The release matters because defenders must triage a much larger-than-usual update set while attackers can immediately focus on the flaws already in use.