CISA Alert: Active Exploits Targeting Multiple SharePoint Vulnerabilities

0
7

Key Takeaways

  • The Cybersecurity and Infrastructure Security Agency (CISA) has warned that three on‑premises Microsoft SharePoint Server vulnerabilities are actively being exploited to steal Internet Information Services (IIS) machine keys and achieve persistent access.
  • The flaws include an input‑validation spoofing issue (CVE‑2026-32201), a remote‑code‑execution deserialization bug (CVE‑2026-45659, CVSS 8.8), and a privilege‑escalation vulnerability (CVE‑2026-56164).
  • Rapid7 disclosed an additional authentication‑bypass flaw (CVE‑2026-55040) that can chain with another vulnerability to enable remote code execution; a patch is not expected until Microsoft’s August update cycle.
  • Because SharePoint is widely deployed across government and private sectors, exploitation attempts are appearing within 24‑72 hours of disclosure.
  • CISA recommends enabling Microsoft’s Antimalware Scan Interface (AMSI) for each SharePoint web app, rotating IIS machine keys, checking for intrusion artifacts such as machine‑key harvesters, avoiding direct internet exposure of SharePoint, and blocking external access to SharePoint Central Administration.
  • Organizations should consult Microsoft’s SharePoint hardening guide and apply patches as soon as they become available to mitigate risk.

Summary of CISA Warning
On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert regarding three vulnerabilities affecting on‑premises editions of Microsoft SharePoint Server. The agency noted that threat actors are actively exploiting these flaws to harvest Internet Information Services (IIS) machine keys, which can then be used to establish persistent, unauthorized access to compromised environments. Once the keys are obtained, attackers leverage deserialization techniques to deploy malware and maintain footholds within the network. CISA’s advisory emphasizes the need for immediate defensive actions, given the critical role SharePoint plays in document management and collaboration across numerous sectors.

Details of the Three Vulnerabilities
The first flaw, tracked as CVE‑2026-32201, is an improper input validation vulnerability that permits network‑based spoofing attacks. Although initially disclosed in April, it has resurfaced as part of the current exploitation wave. The second vulnerability, CVE‑2026-45659, is a remote code execution (RCE) issue stemming from the deserialization of untrusted data; it carries a CVSS severity score of 8.8, reflecting its high potential impact. The third vulnerability, CVE‑2026-56164, was disclosed on the same day as the CISA alert and allows an attacker to elevate privileges over a network. Together, these bugs enable adversaries to bypass authentication, execute arbitrary code, and gain heightened privileges on SharePoint servers.

Rapid7 Authentication Bypass Discovery
In parallel with CISA’s warning, researchers at Rapid7 disclosed a newly identified authentication bypass vulnerability, designated CVE‑2026-55040. Rapid7 explained that this flaw, when combined with a second, as‑yet‑unnamed vulnerability, can be chained to achieve remote code execution on affected SharePoint installations. The firm noted that Microsoft has not scheduled a patch for this issue until the August security update cycle, leaving a window of exposure for organizations that rely on on‑premises SharePoint. Rapid7’s analysis underscores the importance of monitoring for exploit attempts that combine multiple weaknesses, as attackers often seek to amplify the impact of individual flaws through chaining.

Impact and Exploitation Trends
Because SharePoint serves as a widely used document and collaboration platform within federal, state, local, tribal, and territorial (SLTT) governments as well as private enterprises, the exploitation activity is drawing close scrutiny from security teams across diverse sectors. TJ Sayers, senior director of threat intelligence at the Center for Internet Security (CIS), told Cybersecurity Dive that threat actors typically begin exploiting disclosed vulnerabilities—including those inferred from vendor patch notes—within 24 to 72 hours of release. The current campaign follows this pattern, with attackers quickly moving to harvest IIS machine keys and deploy persistence mechanisms. The speed of exploitation highlights the necessity for rapid detection and response capabilities.

Mitigation Recommendations from CISA
CISA advises several concrete steps to reduce risk. First, organizations should ensure that Microsoft’s Antimalware Scan Interface (AMSI) is enabled for every SharePoint web application; Microsoft has published guidance on integrating AMSI with SharePoint. Second, rotating IIS machine keys is essential, as stolen keys are a primary target of the ongoing attacks. Security teams should also hunt for intrusion artifacts, such as machine‑key harvesters, which may indicate a breach has already occurred. Additionally, CISA recommends avoiding direct exposure of SharePoint to the internet and blocking external access to SharePoint Central Administration to limit the attack surface. Finally, the agency provides a link to Microsoft’s SharePoint hardening guide, which consolidates best practices for securing the platform.

Conclusion and Call to Action
The convergence of multiple SharePoint vulnerabilities—including a high‑severity RCE flaw, a privilege‑escalation bug, and an authentication bypass that can be chained to RCE—creates a potent threat landscape for organizations that have not yet applied mitigations. The rapid exploitation observed by CISA and corroborated by threat intelligence feeds underscores the urgency of implementing the recommended defenses. By enabling AMSI, rotating machine keys, scrutinizing for signs of compromise, limiting internet‑facing exposure, and following Microsoft’s hardening guidance, organizations can significantly reduce their risk of compromise. Continuous monitoring and timely application of patches once they become available in the August update cycle will be critical to maintaining the security and availability of SharePoint environments in the face of evolving adversary tactics.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here