CISA Microsoft SharePoint hardening guidance for exploited zero-days
Advisory/Mitigation
Summary
Hide ▲
Show ▼
CISA’s Microsoft SharePoint servers hardening guidance responds to newly disclosed zero-day vulnerabilities that can be exploited remotely, creating immediate risk for supported on-premises deployments. CVE-2026-56164 was added to the KEV catalog, and federal agencies must patch it within three days under BOD 26-04. Microsoft’s July 2026 Patch Tuesday also resolved CVE-2026-55040 and CVE-2026-58644, while CISA urged monitoring, intrusion hunting, and tighter exposure controls.
Cases
Related Happenings
CISA BOD 26-04 SharePoint remediation deadline
Public Sector Action
H score77
First: 15.07.2026 12:44
Last: 15.07.2026 12:44
Sources 1
How related:
On Tuesday, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within three days, in line with BOD 26-04 recommendations.
About this happening:
**CISA** gave federal agencies until **July 17** to secure or discontinue **SharePoint servers** affected by **CVE-2026-56164**, turning the remediation deadline into a mandatory...
CISA BOD 26-04 SharePoint remediation deadline
Public Sector ActionHow related: On Tuesday, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within three days, in line with BOD 26-04 recommendations.
About this happening: **CISA** gave federal agencies until **July 17** to secure or discontinue **SharePoint servers** affected by **CVE-2026-56164**, turning the remediation deadline into a mandatory...
Microsoft SharePoint Server actively exploited multi-CVE wave
Exploitation Wave
H score78
First: 15.07.2026 12:44
Last: 15.07.2026 12:44
Sources 1
How related:
“These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware,” CISA warns.
About this happening:
**SharePoint Server** exploitation wave remains active across **internet-exposed on-premises instances**, with **CVE-2026-32201**, **CVE-2026-45659**, and **CVE-2026-56164** used...
Microsoft SharePoint Server actively exploited multi-CVE wave
Exploitation WaveHow related: “These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware,” CISA warns.
About this happening: **SharePoint Server** exploitation wave remains active across **internet-exposed on-premises instances**, with **CVE-2026-32201**, **CVE-2026-45659**, and **CVE-2026-56164** used...
SonicWall SMA1000 SSRF and code injection flaws (multiple vulnerabilities)
Vulnerability
H score48
First: 15.07.2026 00:23
Last: 15.07.2026 00:23
Sources 1
About this happening:
**SonicWall SMA1000** devices face active exploitation of **CVE-2026-15409** and **CVE-2026-15410**, creating urgent risk for exposed appliances. **CVE-2026-15409** is a **CVSS 10...
SonicWall SMA1000 SSRF and code injection flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **SonicWall SMA1000** devices face active exploitation of **CVE-2026-15409** and **CVE-2026-15410**, creating urgent risk for exposed appliances. **CVE-2026-15409** is a **CVSS 10...
SonicWall security patch release for CVE-2026-15409
Security Patch Release
H score54
First: 15.07.2026 00:23
Last: 15.07.2026 00:23
Sources 1
About this happening:
SonicWall released **hotfix security updates** for **SMA1000** appliances after confirming active exploitation of **CVE-2026-15409** and **CVE-2026-15410**. The fixes are availabl...
SonicWall security patch release for CVE-2026-15409
Security Patch ReleaseAbout this happening: SonicWall released **hotfix security updates** for **SMA1000** appliances after confirming active exploitation of **CVE-2026-15409** and **CVE-2026-15410**. The fixes are availabl...
SharePoint Server unauthenticated privilege escalation flaw actively exploited (CVE-2026-56164)
Vulnerability
H score82
First: 14.07.2026 23:25
Last: 14.07.2026 23:25
Sources 1
How related:
The freshest of the exploited flaws is CVE-2026-56164, a privilege escalation issue that can be exploited remotely without authentication, and which was resolved with Microsoft’s July 2026 Patch Tuesday updates.
About this happening:
**CVE-2026-56164** is an **actively exploited** **SharePoint Server** vulnerability that lets an unauthenticated attacker **escalate privileges over the network**. The flaw puts *...
SharePoint Server unauthenticated privilege escalation flaw actively exploited (CVE-2026-56164)
VulnerabilityHow related: The freshest of the exploited flaws is CVE-2026-56164, a privilege escalation issue that can be exploited remotely without authentication, and which was resolved with Microsoft’s July 2026 Patch Tuesday updates.
About this happening: **CVE-2026-56164** is an **actively exploited** **SharePoint Server** vulnerability that lets an unauthenticated attacker **escalate privileges over the network**. The flaw puts *...
Latest development: 15.07.2026 12:20
Microsoft’s July 14 Patch Tuesday included CVE-2026-56164, an elevation-of-privilege flaw in Microsoft SharePoint Server that required no existing privileges and was described as low complexity. The zero-day was one of two vulnerabilities in the release that had been exploited in the wild, and Microsoft issued updates for affected systems.
Timeline
-
15.07.2026 17:07 2 articles · 2h ago
CISA urges immediate hardening of Microsoft SharePoint servers
Mitigation Patch UpdateCISA urged immediate hardening of Microsoft SharePoint servers after disclosure of multiple zero-day vulnerabilities affecting supported on-premises SharePoint Server Subscription Edition, 2019, and 2016. The agency said CVE-2026-56164 was added to the KEV catalog and federal agencies must patch it within three days under BOD 26-04, while Microsoft’s July 2026 Patch Tuesday also resolved CVE-2026-55040 and CVE-2026-58644; CISA advised monitoring for unusual activity, hunting for intrusions, rotating IIS machine keys, enabling tailored logging, avoiding direct internet exposure, and restricting access to administration interfaces.
Show sources
- CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities — www.securityweek.com — 15.07.2026 17:07
- CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities — www.securityweek.com — 15.07.2026 17:07