Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft SharePoint Server actively exploited multi-CVE wave

Exploitation Wave
First reported
Last updated
Happening score
H score 78
1 unique sources, 1 articles

Summary

Hide ▲

Attackers are actively exploiting three SharePoint Server vulnerabilities against Internet-exposed on-premises instances, creating widespread risk of authentication bypass, remote code execution, and malware deployment. The wave affects all supported self-hosted SharePoint Server versions and spans nearly 10,000 exposed servers, including more than 800 unpatched against two of the CVEs.

Cases

Related Happenings

SharePoint Server unauthenticated privilege escalation flaw actively exploited (CVE-2026-56164)

Vulnerability
H score82 First: 14.07.2026 23:25 Last: 14.07.2026 23:25 Sources 1

How related: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Tuesday that attackers are actively exploiting three vulnerabilities to hack Internet-exposed on-premises SharePoint Server instances.

About this happening: **CVE-2026-56164** is an **actively exploited** **SharePoint Server** vulnerability that lets an unauthenticated attacker **escalate privileges over the network**. The flaw puts *...

Latest development: 15.07.2026 12:20

Microsoft’s July 14 Patch Tuesday included CVE-2026-56164, an elevation-of-privilege flaw in Microsoft SharePoint Server that required no existing privileges and was described as low complexity. The zero-day was one of two vulnerabilities in the release that had been exploited in the wild, and Microsoft issued updates for affected systems.

Microsoft security patch release for CVE-2026-56164

Security Patch Release
H score53 First: 14.07.2026 23:25 Last: 14.07.2026 23:25 Sources 1

About this happening: Microsoft released a **record 622-CVE Patch Tuesday** that includes **two exploited flaws** in **SharePoint Server** and **Active Directory Federation Services**, raising urgency...

Microsoft Corp. security patch release for CVE-2026-56155

Security Patch Release
H score48 First: 14.07.2026 22:22 Last: 14.07.2026 22:22 Sources 1

About this happening: **Microsoft** released **July 2026 Patch Tuesday** updates that close at least **570 security holes** in **Windows** and other software, expanding the remediation burden for defen...

Microsoft SharePoint remote code execution (CVE-2026-45659)

Vulnerability
H score17 First: 26.05.2026 14:49 Last: 26.05.2026 14:49 Sources 1

How related: As detailed in a Tuesday advisory, attackers are exploiting these vulnerabilities to bypass authentication, gain remote code execution, and carry out post-exploitation activity, including stealing Internet Information Services machine keys and gaining persistence to deploy malware on compromised systems.

About this happening: **Microsoft SharePoint** **CVE-2026-45659** is a **remote code execution** vulnerability that lets an **authenticated attacker** with **Site Member** permissions run code over the...

Microsoft April 2026 Patch Tuesday security update (165 CVEs)

Security Patch Release
H score62 First: 15.04.2026 00:22 Last: 15.04.2026 00:22 Sources 1

About this happening: **Microsoft** shipped **April 2026 Patch Tuesday** updates covering **165 CVEs**, including an **actively exploited zero-day** and a **publicly disclosed** flaw, creating immediat...

Timeline

  1. 15.07.2026 12:44 1 articles · 2h ago

    Microsoft patches CVE-2026-55040 and CVE-2026-58644

    Mitigation Patch Update

    Microsoft patched CVE-2026-55040 and CVE-2026-58644 on Tuesday after CISA flagged the two SharePoint Server vulnerabilities as attractive targets for attackers, although they were not yet known to have been exploited in the wild.

    Show sources
  2. 15.07.2026 12:44 2 articles · 2h ago

    CISA warns of active SharePoint Server exploitation

    Initial Disclosure

    CISA warned that attackers are actively exploiting CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 against Internet-exposed on-premises SharePoint Server instances, using the flaws to bypass authentication, gain remote code execution, steal IIS machine keys, establish persistence, and deploy malware. CISA also urged affected operators to apply Microsoft's latest patches, verify successful installation, enable AMSI integration and Microsoft Defender Antivirus detections, monitor for intrusion artifacts, avoid direct internet exposure where possible, block external access to SharePoint Central Administration, and place exposed servers behind a Layer 7 reverse proxy when needed.

    Show sources