Vulnerability
Exploitation Wave
Public Sector Action
Security Patch Release
Active SharePoint exploitation around CVE-2026-56164 drives patching and federal response
Updated 15.07.2026 12:44
Case score 86
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 86
- Main story score
- 82
- Related evidence lift
- +4 / 20
- Contributing updates
- 1
- Context updates
- 2
Top contributors
- Vulnerability Primary anchor for active exploitation of **CVE-2026-56164** in on-premises SharePoint Server. main
- Public Sector Action Adds the **July 17** federal deadline and KEV-driven response tied to the same SharePoint exploitation. context
- Exploitation Wave Expands the picture to active exploitation of **CVE-2026-32201**, **CVE-2026-45659**, and **CVE-2026-56164**, plus exposure and post-compromise details. contributes
- Security Patch Release Provides Microsoft patch availability and **AMSI in Full Mode** mitigation guidance for **CVE-2026-56164**. context
Case score 86
Members 4
Latest activity 15.07.2026 12:44
Active exploitation
KEV: CISA KEV
Patch available
CVSS: 9.9 Critical
Members 4
First seen 14.07.2026 23:25
Last seen 15.07.2026 12:44
Updated 15.07.2026 12:44
Overview
Active exploitation of **on-premises SharePoint Server** has moved beyond a single zero-day notice into a broader intrusion story involving **CVE-2026-56164** alongside exploited SharePoint flaws **CVE-2026-32201** and **CVE-2026-45659**. Available reporting ties the activity to internet-exposed servers, follow-on compromise behavior such as **IIS machine key** theft and persistence, and a large exposed population that still leaves patching urgency high.
Microsoft has issued fixes and recommends **AMSI in Full Mode** where immediate patching is not possible. U.S. federal agencies now face a **July 17** deadline to secure or discontinue affected SharePoint systems, while key unknowns remain around the actor, exact exploitation method for **CVE-2026-56164**, and confirmed victim count.
Attackers are actively exploiting **on-premises SharePoint Server** flaws, with **CVE-2026-56164** confirmed under active attack and broader exploitation also covering **CVE-2026-32201** and **CVE-2026-45659** on internet-exposed servers. The activity gives intruders a path from exposed SharePoint access into authentication bypass, code execution, or privilege escalation, depending on the flaw used. Available evidence also ties post-compromise activity to **IIS machine key** theft, persistence, and malware deployment on compromised systems.
Microsoft released fixes for **CVE-2026-56164** and directed defenders to patch quickly, while using **AMSI in Full Mode** as a mitigating control if immediate patching is not possible. The exposed surface remains large, with nearly **10,000** internet-exposed SharePoint servers observed and more than **800** still unpatched against **CVE-2026-32201** and **CVE-2026-45659**. The warning applies to supported self-hosted SharePoint deployments, including **SharePoint Server Subscription Edition**.
U.S. federal agencies face a **July 17** deadline to secure or discontinue affected SharePoint servers under **BOD 26-04** after the exploited flaws were added to the KEV workflow. Defensive priorities are to verify patch installation, monitor for compromise, hunt for intrusion artifacts before rotating **IIS machine keys**, and reduce direct internet exposure where possible. Available material does not identify the actor behind the attacks, explain the exploitation method for **CVE-2026-56164**, or quantify how many organizations have been compromised.
Signals
12 derivedImpact signals
Exploitation
Exploitation
Active exploitation
CVSS
9.9 Critical
Affected impact
Affected service
CVEs/products
CVE
CVE
CVE
Victims/regions
Victim region
United States
Remediation
Urgency
Immediate
KEV
CISA KEV
Remediation
Patch available
Status
Policy stage
Enforced
Threat context
Actor
Microsoft
Malware context
0 families · 3 toolsTools
bitskrieg
ToolShell
YellowKey
Member happenings
4 related
Vulnerability
SharePoint Server unauthenticated privilege escalation flaw actively exploited (CVE-2026-56164)
Exploitation
Active Exploitation
Data Type
Passwords
CVSS
9.9 Critical
Patch
Patch Available
Vulnerability
SharePoint Server unauthenticated privilege escalation flaw actively exploited (CVE-2026-56164)
Exploitation
Active Exploitation
Data Type
Passwords
CVSS
9.9 Critical
Patch
Patch Available
Exploitation Wave
Microsoft SharePoint Server actively exploited multi-CVE wave
Exploitation
Active Exploitation
Patch
Patch Available
Exploitation Wave
Microsoft SharePoint Server actively exploited multi-CVE wave
Exploitation
Active Exploitation
Patch
Patch Available
Public Sector Action
CISA BOD 26-04 SharePoint remediation deadline
Policy Stage
Enforced
Patch
Patch Available
Public Sector Action
CISA BOD 26-04 SharePoint remediation deadline
Policy Stage
Enforced
Patch
Patch Available
Security Patch Release
Microsoft security patch release for CVE-2026-56164
Exploitation
Active Exploitation
CVSS
9.9 Critical
Urgency
Immediate
Patch
Patch Available
Security Patch Release
Microsoft security patch release for CVE-2026-56164
Exploitation
Active Exploitation
CVSS
9.9 Critical
Urgency
Immediate
Patch
Patch Available