Microsoft SharePoint Server actively exploited multi-CVE wave
Exploitation Wave
Summary
Hide ▲
Show ▼
Attackers are actively exploiting three SharePoint Server vulnerabilities against Internet-exposed on-premises instances, creating widespread risk of authentication bypass, remote code execution, and malware deployment. The wave affects all supported self-hosted SharePoint Server versions and spans nearly 10,000 exposed servers, including more than 800 unpatched against two of the CVEs.
Cases
Related Happenings
SharePoint Server unauthenticated privilege escalation flaw actively exploited (CVE-2026-56164)
Vulnerability
H score82
First: 14.07.2026 23:25
Last: 14.07.2026 23:25
Sources 1
How related:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Tuesday that attackers are actively exploiting three vulnerabilities to hack Internet-exposed on-premises SharePoint Server instances.
About this happening:
**CVE-2026-56164** is an **actively exploited** **SharePoint Server** vulnerability that lets an unauthenticated attacker **escalate privileges over the network**. The flaw puts *...
SharePoint Server unauthenticated privilege escalation flaw actively exploited (CVE-2026-56164)
VulnerabilityHow related: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Tuesday that attackers are actively exploiting three vulnerabilities to hack Internet-exposed on-premises SharePoint Server instances.
About this happening: **CVE-2026-56164** is an **actively exploited** **SharePoint Server** vulnerability that lets an unauthenticated attacker **escalate privileges over the network**. The flaw puts *...
Latest development: 15.07.2026 12:20
Microsoft’s July 14 Patch Tuesday included CVE-2026-56164, an elevation-of-privilege flaw in Microsoft SharePoint Server that required no existing privileges and was described as low complexity. The zero-day was one of two vulnerabilities in the release that had been exploited in the wild, and Microsoft issued updates for affected systems.
Microsoft security patch release for CVE-2026-56164
Security Patch Release
H score53
First: 14.07.2026 23:25
Last: 14.07.2026 23:25
Sources 1
About this happening:
Microsoft released a **record 622-CVE Patch Tuesday** that includes **two exploited flaws** in **SharePoint Server** and **Active Directory Federation Services**, raising urgency...
Microsoft security patch release for CVE-2026-56164
Security Patch ReleaseAbout this happening: Microsoft released a **record 622-CVE Patch Tuesday** that includes **two exploited flaws** in **SharePoint Server** and **Active Directory Federation Services**, raising urgency...
Microsoft Corp. security patch release for CVE-2026-56155
Security Patch Release
H score48
First: 14.07.2026 22:22
Last: 14.07.2026 22:22
Sources 1
About this happening:
**Microsoft** released **July 2026 Patch Tuesday** updates that close at least **570 security holes** in **Windows** and other software, expanding the remediation burden for defen...
Microsoft Corp. security patch release for CVE-2026-56155
Security Patch ReleaseAbout this happening: **Microsoft** released **July 2026 Patch Tuesday** updates that close at least **570 security holes** in **Windows** and other software, expanding the remediation burden for defen...
Microsoft SharePoint remote code execution (CVE-2026-45659)
Vulnerability
H score17
First: 26.05.2026 14:49
Last: 26.05.2026 14:49
Sources 1
How related:
As detailed in a Tuesday advisory, attackers are exploiting these vulnerabilities to bypass authentication, gain remote code execution, and carry out post-exploitation activity, including stealing Internet Information Services machine keys and gaining persistence to deploy malware on compromised systems.
About this happening:
**Microsoft SharePoint** **CVE-2026-45659** is a **remote code execution** vulnerability that lets an **authenticated attacker** with **Site Member** permissions run code over the...
Microsoft SharePoint remote code execution (CVE-2026-45659)
VulnerabilityHow related: As detailed in a Tuesday advisory, attackers are exploiting these vulnerabilities to bypass authentication, gain remote code execution, and carry out post-exploitation activity, including stealing Internet Information Services machine keys and gaining persistence to deploy malware on compromised systems.
About this happening: **Microsoft SharePoint** **CVE-2026-45659** is a **remote code execution** vulnerability that lets an **authenticated attacker** with **Site Member** permissions run code over the...
Microsoft April 2026 Patch Tuesday security update (165 CVEs)
Security Patch Release
H score62
First: 15.04.2026 00:22
Last: 15.04.2026 00:22
Sources 1
About this happening:
**Microsoft** shipped **April 2026 Patch Tuesday** updates covering **165 CVEs**, including an **actively exploited zero-day** and a **publicly disclosed** flaw, creating immediat...
Microsoft April 2026 Patch Tuesday security update (165 CVEs)
Security Patch ReleaseAbout this happening: **Microsoft** shipped **April 2026 Patch Tuesday** updates covering **165 CVEs**, including an **actively exploited zero-day** and a **publicly disclosed** flaw, creating immediat...
Timeline
-
15.07.2026 12:44 1 articles · 2h ago
CISA adds CVE-2026-32201 to Known Exploited Vulnerabilities Catalog
Legal Policy Action UpdateCISA added CVE-2026-32201 to its Known Exploited Vulnerabilities Catalog on April 14.
Show sources
- CISA warns admins to patch actively exploited SharePoint flaws — www.bleepingcomputer.com — 15.07.2026 12:44
-
15.07.2026 12:44 1 articles · 2h ago
CISA adds CVE-2026-45659 to Known Exploited Vulnerabilities Catalog
Legal Policy Action UpdateCISA added CVE-2026-45659 to its Known Exploited Vulnerabilities Catalog on July 1.
Show sources
- CISA warns admins to patch actively exploited SharePoint flaws — www.bleepingcomputer.com — 15.07.2026 12:44
-
15.07.2026 12:44 1 articles · 2h ago
CISA adds CVE-2026-56164 to Known Exploited Vulnerabilities Catalog
Legal Policy Action UpdateCISA added CVE-2026-56164 to its Known Exploited Vulnerabilities Catalog on July 14.
Show sources
- CISA warns admins to patch actively exploited SharePoint flaws — www.bleepingcomputer.com — 15.07.2026 12:44
-
15.07.2026 12:44 1 articles · 2h ago
Microsoft patches CVE-2026-55040 and CVE-2026-58644
Mitigation Patch UpdateMicrosoft patched CVE-2026-55040 and CVE-2026-58644 on Tuesday after CISA flagged the two SharePoint Server vulnerabilities as attractive targets for attackers, although they were not yet known to have been exploited in the wild.
Show sources
- CISA warns admins to patch actively exploited SharePoint flaws — www.bleepingcomputer.com — 15.07.2026 12:44
-
15.07.2026 12:44 2 articles · 2h ago
CISA warns of active SharePoint Server exploitation
Initial DisclosureCISA warned that attackers are actively exploiting CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 against Internet-exposed on-premises SharePoint Server instances, using the flaws to bypass authentication, gain remote code execution, steal IIS machine keys, establish persistence, and deploy malware. CISA also urged affected operators to apply Microsoft's latest patches, verify successful installation, enable AMSI integration and Microsoft Defender Antivirus detections, monitor for intrusion artifacts, avoid direct internet exposure where possible, block external access to SharePoint Central Administration, and place exposed servers behind a Layer 7 reverse proxy when needed.
Show sources
- CISA warns admins to patch actively exploited SharePoint flaws — www.bleepingcomputer.com — 15.07.2026 12:44
- CISA warns admins to patch actively exploited SharePoint flaws — www.bleepingcomputer.com — 15.07.2026 12:44