CISA Issues Urgent Warning as Cybercriminals Actively Exploit Critical Microsoft SharePoint Vulnerabilities
DNI SUMMARY — KEY POINTS
- The U.S. Cybersecurity and Infrastructure Security Agency has issued an urgent advisory regarding three critical vulnerabilities in Microsoft SharePoint Server that are currently being actively exploited.
- Attackers are targeting internet-exposed on-premises instances to gain unauthorized access, execute remote code, and deploy malicious payloads or ransomware across affected corporate networks.
- The identified vulnerabilities are tracked as CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, affecting all supported on-premises versions including the latest SharePoint Server Subscription Edition.
- Security researchers and government officials emphasize that simply applying patches is insufficient, as attackers often establish persistence by stealing machine keys to maintain long-term access.
- Organizations are strongly urged to immediately deploy the latest security updates and perform comprehensive threat hunting to detect any evidence of existing unauthorized server compromise.
The Cybersecurity and Infrastructure Security Agency has escalated its warning to organizations worldwide following reports of active exploitation targeting on-premises Microsoft SharePoint infrastructure. These security flaws allow malicious actors to bypass authentication protocols and execute arbitrary code, creating significant risks for data integrity and network security. While cloud-hosted services remain unaffected, thousands of self-hosted environments are currently exposed to sophisticated cyberattack campaigns. The discovery of these vulnerabilities has prompted an immediate push for IT administrators to audit their systems and apply the latest defensive measures provided by the software developer.
Defensive Urgency Escalates Rapidly
Defensive Urgency Escalates Rapidly
Evidence suggests that threat actors are systematically chaining multiple vulnerabilities to achieve full system control over vulnerable SharePoint servers. By exploiting weaknesses such as CVE-2026-45659, attackers can perform remote code execution, which grants them the ability to deploy ransomware or steal sensitive corporate data. These operations often involve the theft of IIS machine keys, which enables attackers to maintain persistent access even after an organization attempts a standard software update. This tactical persistence makes simple remediation insufficient, requiring deep forensic investigations into server logs to identify hidden backdoors left by the attackers during initial intrusion phases.
The CISA has confirmed that three distinct SharePoint vulnerabilities are currently being exploited by threat actors to execute remote code and deploy malware.
Identifying Hidden Network Threats
The threat landscape surrounding these SharePoint flaws is particularly concerning due to the involvement of financially motivated groups and ransomware operators who target newly disclosed exploits. These actors are known for their speed in weaponizing technical vulnerabilities before organizations can finalize their patch management cycles. By utilizing custom malware and advanced defense evasion techniques, these attackers manage to disable existing endpoint security controls. The sheer number of internet-exposed servers creates a vast attack surface, leaving a substantial portion of the enterprise sector vulnerable to potential data exfiltration and ongoing disruption of critical business processes.
Identifying Hidden Network Threats
Hardening Enterprise Infrastructure Defenses
Security experts warn that the transition from vulnerability identification to active exploitation is occurring at an alarming rate. With over 10,000 servers currently accessible from the public internet, the potential impact of these exploits is massive. While many IT teams prioritize standard patching, the current situation necessitates a more proactive approach, including the integration of AMSI technology to monitor web application activity. Organizations must look beyond basic software updates and verify that their network environments are not already compromised by actors seeking to maintain long-term, illicit entry into internal private systems.
Nearly 10,000 Microsoft SharePoint server instances are currently exposed to the internet, creating a significant and highly accessible attack surface for cybercriminals.
Looking forward, the security community expects these SharePoint vulnerabilities to remain prime targets for malicious actors for the foreseeable future. Even as developers release additional fixes, the legacy of unpatched systems provides an ongoing opportunity for adversarial campaigns. It is crucial for organizations to minimize the exposure of their SharePoint deployments by employing strict firewall rules and network segmentation. Furthermore, maintaining high levels of incident readiness ensures that if a breach occurs, the impact can be contained before the threat actors can successfully move laterally through the internal network infrastructure.
Strategic Response and Mitigation
Hardening Enterprise Infrastructure Defenses
Successful mitigation depends on a multi-layered security strategy that prioritizes the most critical vulnerabilities while hardening the environment against common attack vectors. The patch management process must be accelerated to ensure that all security updates are applied within days of release to mitigate the window of opportunity for attackers. Security leaders should also verify that their server configurations align with current best practices to reduce the likelihood of unauthorized deserialization or spoofing. Neglecting these fundamental defensive hygiene tasks increases the risk of catastrophic data loss, operational paralysis, and significant damage to the overall reputation of affected enterprises.
While the current advisory focuses on a set of three primary vulnerabilities, experts are also monitoring additional high-severity bugs that could complicate recovery efforts. The CISA KEV catalog serves as a vital resource for defenders, providing the necessary intelligence to prioritize remediation efforts across diverse IT environments. As the digital threat environment continues to shift, the ability to rapidly detect, respond, and recover from sophisticated attacks will remain a defining characteristic of resilient organizations. Vigilance, combined with timely updates and robust monitoring, remains the only effective strategy against these persistent and highly motivated cyber threats targeting critical enterprise-grade software platforms.
Strategic Response and Mitigation
Defenders must treat this situation as a high-priority alert that requires immediate intervention from infrastructure security teams globally. By leveraging threat intelligence and staying informed about active exploitation patterns, organizations can better shield their SharePoint environments from evolving dangers. It is essential to recognize that security is not a one-time event but a continuous process of hardening systems, monitoring traffic, and responding to emerging alerts. As the industry advances, the focus must remain on building systems that are inherently difficult to exploit, thereby reducing the dependency on reactive patching as the sole barrier against external attacks.
KEY TAKEAWAYS
Attackers are specifically targeting IIS machine keys to maintain persistent access to compromised servers, bypassing the effects of traditional security patches.
The vulnerability CVE-2026-45659 is officially included in the CISA Known Exploited Vulnerabilities catalog due to its critical severity and active use in the wild.

