CISA Urges Immediate Patching for Three Exploited SharePoint Vulnerabilities (Two Are Zero-Days)

CISA raises the SharePoint patch stakes — three actively exploited flaws, two of them zero-days, and defender teams accelerate verification this week.

Share
Editorial illustration of a shared-document portal showing three cracks beside an alarm bell, marking CISA's warning on three exploited SharePoint flaws, two zero-days.

Key Takeaways

  • The US Cybersecurity and Infrastructure Security Agency (CISA) on July 15, 2026 urged organizations to immediately patch and harden on-premises Microsoft SharePoint servers, warning that three SharePoint vulnerabilities are being actively exploited — two of them reportedly targeted as zero-days. The Register covered the alert under the headline “CISA sounds alarm over trio of exploited SharePoint flaws,” and SecurityWeek reported the same three-exploited, two-zero-day framing.
  • SecurityWeek reports the exploited trio as CVE-2026-56164 — added to CISA's Known Exploited Vulnerabilities catalog with a three-day federal patch deadline under BOD 26-04 — alongside CVE-2026-32201 and CVE-2026-45659. It also reports two additional critical SharePoint flaws, CVE-2026-55040 and CVE-2026-58644, that raise exposure even though they are not flagged as exploited.
  • For SharePoint operators the immediate task is accelerated verification: confirm that July's SharePoint updates actually applied across on-premises estates, prioritize internet-reachable servers, and work through CISA's hardening checklist this week — rather than waiting for the precise CVE mapping and severity picture to fully settle.

CISA's SharePoint alert stacks three actively exploited flaws — two reportedly zero-days — onto an already-record July patch cycle; the defender job this week is verifying the fixes landed.

WASHINGTON (CISA) — The US Cybersecurity and Infrastructure Security Agency (CISA) on July 15, 2026 urged organizations to immediately patch and harden on-premises Microsoft SharePoint servers, warning that three SharePoint vulnerabilities are being actively exploited — two of them reportedly targeted as zero-days. The advisory turns a routine July patch cycle into a time-boxed verification task: for SharePoint operators, the practical job this week is confirming that the fixes are installed across their estates, starting with any server reachable from the internet.

The warning was reported by The Register, under the headline “CISA sounds alarm over trio of exploited SharePoint flaws,” and by SecurityWeek, which reported that three SharePoint vulnerabilities are actively exploited, including two targeted as zero-days. The CyberSignal is covering this as a defender-facing directive story: what CISA is telling teams to do, where the fixes sit in Microsoft's July release, and which specifics are still settling. We are not reproducing exploitation detail. As always with an actively exploited flaw, the fastest risk reduction is applying the vendor patch and verifying it landed.

At a Glance
FieldDetails
IssuerCISA (Cybersecurity and Infrastructure Security Agency)
DateJuly 15, 2026
DirectiveImmediate patching and hardening of on-premises Microsoft SharePoint
Actively exploitedThree SharePoint vulnerabilities; two reportedly targeted as zero-days
Exploited trio (reported)CVE-2026-56164, CVE-2026-32201, CVE-2026-45659 (per SecurityWeek)
Additional critical flaws (not flagged exploited)CVE-2026-55040, CVE-2026-58644 (per SecurityWeek)
KEV / deadlineCVE-2026-56164 reportedly added to CISA's KEV catalog; three-day federal patch window under BOD 26-04
Affected (reported)Supported on-premises SharePoint Server — Subscription Edition, 2019, and 2016 (per SecurityWeek)

What CISA Disclosed

CISA on July 15, 2026 called for immediate hardening of on-premises Microsoft SharePoint servers after new exploitation activity, urging organizations to apply Microsoft's patches without delay. The agency's own alert on SharePoint hardening frames the response around a widely deployed collaboration platform whose internet-facing servers draw steady attention. The through-line reported by both The Register and SecurityWeek is consistent: three SharePoint vulnerabilities are actively exploited, two of them reportedly targeted as zero-days.

The CyberSignal is deliberately not walking through how any of the flaws are exploited. What matters for defenders is the shape of the directive — patch now, then harden — and the fact that the exploitation is happening against a class of server that many organizations still run on-premises.

The Three Exploited Flaws and Two Zero-Days

SecurityWeek reports the exploited trio as three distinct SharePoint issues. The freshest, CVE-2026-56164, is described as a privilege-escalation flaw resolved with Microsoft's July 2026 Patch Tuesday updates and, per that reporting, added to CISA's Known Exploited Vulnerabilities catalog with federal agencies directed to patch within three days in line with BOD 26-04. The second, CVE-2026-32201, is reported as a spoofing issue patched back in April after being exploited as a zero-day. The third, CVE-2026-45659, is a code-execution flaw The CyberSignal has already covered — a SharePoint deserialization remote-code-execution issue reportedly patched in May via an out-of-band update and added to CISA's KEV list in early July.

The reported picture, then, is not three brand-new flaws landing at once but a running set of SharePoint exposures that CISA has now grouped into a single urgent call to action. Two of the three are reportedly the ones targeted as zero-days; readers should take the precise CVE-to-zero-day mapping and the severity scores from CISA's advisory and the primary reporting rather than from any single restatement. The defender takeaway does not depend on that mapping: all three are reportedly exploited, and all three have patches available.

Continuation Context: SharePoint CVE-2026-55040 and July Patch Tuesday

This alert continues a SharePoint thread The CyberSignal has been tracking through the July cycle. It follows Microsoft's fix for CVE-2026-55040, a SharePoint JWT-token authentication-bypass flaw, and it lands inside the same release as Microsoft's record July 2026 Patch Tuesday — 622 CVEs, including two zero-days under active attack. A useful clarification sits here: SecurityWeek reports that CVE-2026-55040 is one of two additional critical SharePoint flaws that were fixed but are not flagged as exploited — it is not, on that reporting, one of the three actively exploited vulnerabilities driving CISA's alarm.

That distinction matters for triage. The July SharePoint story now spans several CVEs at different stages — some exploited and on the KEV clock, some critical-but-not-exploited — and it is easy to conflate them in a 622-CVE month. Keeping the exploited trio separate from the additional critical fixes is what lets a team schedule the release sensibly rather than treating every SharePoint line as identical.

Defender Posture: Accelerated SharePoint Patch Verification

For SharePoint operators, the response follows the standard patch-management playbook, weighted toward exposure and speed. Internet-reachable SharePoint servers come first, followed by internal deployments, with verification that July's updates actually applied rather than merely downloaded. SecurityWeek reports the exploited issues affect all supported on-premises SharePoint Server versions — Subscription Edition, 2019, and 2016 — so an accurate inventory of which editions are running, and where, is the precondition for any of this.

Beyond applying the updates, CISA's guidance as reported runs to a familiar hardening checklist: monitor SharePoint servers for unusual activity, ensure security products cover all SharePoint web applications, hunt for signs of intrusion, rotate Internet Information Services (IIS) machine keys, enable tailored logging, keep SharePoint servers off the public internet where possible, and restrict access to administrative interfaces. None of that is exotic — it is the durable posture that also bounds the impact of the next SharePoint issue. The single most valuable move this week is to make verification an explicit, owned task: a staged-but-uninstalled patch provides no protection.

The Two Additional Critical Holes

The Register notes that two additional critical vulnerabilities could compound the risk beyond the exploited trio. Per SecurityWeek, those are CVE-2026-55040 — the security-feature-bypass flaw The CyberSignal covered separately — and CVE-2026-58644, described as a critical SharePoint issue that could allow remote code execution. Both were reportedly resolved in Microsoft's July updates, and neither is flagged as actively exploited at the time of the reporting. CISA's caution, as relayed, is that unexploited today does not mean safe to defer: unpatched critical flaws remain a risk if they are left in place.

That caution has empirical backing. Verizon's 2026 Data Breach Investigations Report found that vulnerability exploitation has overtaken credential theft as the top initial-access vector, which is the broader reason a stack of critical, server-side SharePoint fixes warrants prompt attention even for the items that carry no confirmed exploitation yet. In practice, the additional critical holes belong in the same maintenance window as the exploited trio, not a later one.

Open Questions

Several specifics remain open at the time of publication, and The CyberSignal is holding them as questions rather than filling them in. The precise mapping of which two of the three exploited flaws are the zero-days, and the exact CVSS scores attached to each CVE, should be taken from CISA's advisory and the primary reporting rather than inferred here. Coverage names no threat actors behind the exploitation, and this write-up does not attribute the activity to any group.

It is also not independently confirmed here whether each of the five CVEs has a discrete, standalone Microsoft advisory tied to it, or whether the two additional critical flaws will later move onto CISA's KEV catalog if exploitation is observed. Those are watch items, not stated facts. What none of the open questions change is the present guidance: apply July's SharePoint updates, verify they landed, and work through CISA's hardening steps.


The CyberSignal Analysis

The reported facts above come from CISA's alert and from The Register's and SecurityWeek's coverage; what follows is The CyberSignal's editorial reading of what defenders should do with them. None of the judgments below are new reported facts.

Signal 01 — Verification Is the Deliverable This Week

The most useful thing a SharePoint operator can do with this alert is unglamorous: confirm July's updates are installed, not merely available. Our reading is that the risk in a directive like this is rarely the flaws themselves — the vendor has already shipped fixes — but the gap between a patch being released and a patch being verified in production. That gap is where actively exploited server flaws turn into incidents, and it is entirely within the defender's control.

The interpretation we would push is to treat verification, not deployment, as the deliverable. Internet-facing SharePoint first, then internal, with a per-host check that the update actually applied. In a record 622-CVE month, the SharePoint lines are easy to lose track of; making their verification an explicit, owned task is the difference between covered and assumed-covered.

Signal 02 — A KEV Listing Plus BOD 26-04 Compresses the Federal Clock

The reported addition of CVE-2026-56164 to CISA's KEV catalog is the part that changes the calendar for federal agencies, and it is worth reading as a signal for everyone else. Our assessment is that a KEV listing paired with a three-day patch window under BOD 26-04 is CISA's way of saying the severity debate is over for that flaw — action is due on a fixed clock, not when a team gets around to it.

For organizations outside the federal mandate, the takeaway is to borrow the tempo. A KEV-listed, actively exploited authentication or privilege flaw in an internet-facing server is exactly the profile that rewards moving now and documenting the CVSS refinement later, rather than gating action on a still-settling severity picture.

Signal 03 — On-Prem SharePoint Is a Standing Exposure, Not a One-Off

This is not the first SharePoint server fix defenders have absorbed this cycle, and the grouping of multiple CVEs into a single CISA alert underlines the pattern. Our reading is that on-premises SharePoint should be modeled as a recurring, high-value exposure — an internet-adjacent collaboration platform that draws sustained researcher and adversary interest — rather than as an occasional exception to be handled ad hoc.

The forward-looking watch item is exposure hygiene: whether on-prem SharePoint needs to face the public internet at all, and if it does, whether it sits behind the monitoring, logging, key rotation, and administrative-access restrictions CISA is recommending. Those controls pay off across every SharePoint disclosure, not just this week's, and they are the difference between a standing process and a scramble the next time a trio like this surfaces.


Sources

TypeSource
PrimaryCISA — Alert: CISA Urges SharePoint Hardening After New Exploitations
ReportingThe Register — CISA sounds alarm over trio of exploited SharePoint flaws
ReportingSecurityWeek — CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities
RelatedThe CyberSignal — Microsoft July 2026 Patch Tuesday: 622 CVEs, Two Zero-Days
RelatedThe CyberSignal — Microsoft Patches SharePoint JWT Authentication-Bypass Flaw (CVE-2026-55040)
RelatedThe CyberSignal — Microsoft SharePoint CVE-2026-45659 Deserialization RCE