Urgent Advisory: SharePoint Zero-Day Under Active Exploitation - CVE-2026-56164
- CVE ID
- CVE-2026-56164
- CVSS Score
- 5.3
- Affected Products
- Microsoft SharePoint Server
Overview
A critical elevation of privilege (EoP) vulnerability, identified as CVE-2026-56164, has been discovered in Microsoft SharePoint Server. This flaw stems from a missing authentication for a critical function, allowing an unauthorized attacker to gain elevated privileges over a network without requiring any credentials or user interaction. Notably, this vulnerability is being actively exploited in the wild as a zero-day and has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, underscoring its immediate threat. While rated with a CVSS score of 5.3 (Medium severity), the confirmed active exploitation elevates its urgency significantly for all organizations leveraging on-premises SharePoint deployments. This vulnerability was addressed as part of Microsoft’s unusually large July 2026 Patch Tuesday release. Affected products include Microsoft SharePoint Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition.
Technical Details
The core of CVE-2026-56164 lies in a lapse of proper authentication for a critical function within Microsoft SharePoint Server, categorized under CWE-306: Missing Authentication for Critical Function. This oversight provides a direct and unauthenticated network attack vector, meaning an attacker can exploit the vulnerability remotely without needing to first compromise legitimate user accounts or trick users into performing specific actions.
Upon successful exploitation, an unauthorized attacker can achieve elevation of privileges across the network. While Microsoft’s public description confirms the privilege gain, the precise starting and resulting privilege levels are not explicitly detailed, creating a degree of uncertainty regarding the full scope of a compromise. However, CISA’s alert indicates that active exploitation enables cyber threat actors to gain unauthorized access to on-premises SharePoint Server instances. This access can lead to significant post-exploitation activities, such as the theft of Internet Information Services (IIS) machine keys and the use of deserialization techniques to establish persistence and deploy malware. The discovery of this vulnerability is credited to a collaborative effort including Jayson Frost of Mandiant Incident Response, Genwei Jiang of Google Cloud, FLARE OTF, and an anonymous researcher, suggesting its identification during active incident response efforts.
Real-World Impact
The most pressing aspect of CVE-2026-56164 is its confirmed active exploitation as a zero-day. This shifts it from a theoretical risk to an immediate and demonstrable threat to organizations worldwide. Despite its “Medium” CVSS score, the evidence of in-the-wild exploitation mandates that this vulnerability be prioritized above many “Critical” or “Important” rated flaws that lack active threat activity.
SharePoint Server is a cornerstone of enterprise collaboration and data management, often housing vast amounts of sensitive business data and intellectual property. A compromise of this magnitude can grant attackers a significant network foothold or even administrative rights, providing a gateway to further lateral movement and impact across the entire environment. Historically, SharePoint has been a frequent target for malicious actors, with prior chains like “ToolShell” in 2025 underscoring its attractiveness as a high-value asset. While specific victims or named threat actors have not been publicly disclosed by Microsoft, the very nature of its discovery by incident response teams (Mandiant, Google FLARE) strongly implies that real-world intrusions prompted the identification of this flaw. Organizations should operate under the assumption that they are potential targets and maintain vigilance for any indicators of compromise related to their SharePoint infrastructure.
Threat Landscape
Given that CVE-2026-56164 is an actively exploited zero-day, the threat actors leveraging it are likely sophisticated, with the resources and capabilities to discover and operationalize such flaws before patches are available. While no specific threat actor groups or campaigns have been publicly attributed to the exploitation of this particular CVE, the nature of the vulnerability—allowing unauthenticated privilege escalation over a network in a widely used enterprise product—makes it highly appealing to various adversaries. This could include state-sponsored groups focused on espionage, financially motivated cybercriminals seeking data for extortion or sale, or even ransomware operators looking for initial access and privilege escalation within corporate networks.
The widespread deployment of Microsoft SharePoint Server across diverse industries and geographic regions means that potential victims are not confined to a niche sector. Any organization running an unpatched, internet-exposed on-premises SharePoint deployment is at elevated risk. Although “known ransomware use” is currently unknown for this specific CVE, the ability to gain elevated privileges and potentially deploy malware, as indicated by CISA, frequently serves as a precursor to ransomware deployment or other destructive attacks. Therefore, organizations should consider the broader implications of such a compromise within their threat modeling.
Remediation
Immediate action is required to mitigate the risk posed by CVE-2026-56164. The primary and most effective remediation is to apply the latest security updates released by Microsoft. Organizations, particularly federal agencies, must adhere to CISA’s BOD 26-04 guidance, which mandates patching by July 17, 2026.
In addition to patching, Microsoft has provided important mitigation steps:
- Enable Antimalware Scan Interface (AMSI) integration for all SharePoint web applications. This feature can help detect and block malicious requests.
- Ensure the Request Body Scan mode within AMSI integration is set to “Full” where feasible, as this offers enhanced scanning capabilities.
Furthermore, robust security hardening measures are essential for SharePoint deployments:
- Minimize Internet Exposure: Avoid direct exposure of SharePoint Servers to the internet. If external access is necessary, ensure the server is placed behind a Layer 7 reverse proxy or an equivalent application-layer security control that enforces authentication and can inspect/filter requests.
- Restrict Access: Block external access to SharePoint Central Administration. Restrict farm and database communications to only required systems.
- Review Security Guidance: Continuously review and apply Microsoft’s SharePoint Server security-hardening guidance, including recommendations for role-specific ports, services, and
Web.configsettings. - Proactive Monitoring: Implement robust monitoring for all SharePoint Servers. Look for any signs of exploitation or unusual activity using AMSI and Microsoft Defender Antivirus (MDAV) detections such as
Exploit:Script/SuspSignoutReqBody.AandExploit:Script/ToolPaneAuthBypass.A.
It is also crucial to note that SharePoint Server 2016 and 2019 are reaching the end of their extended support, and unlike some other Microsoft products, they do not offer a paid Extended Security Update (ESU) program. This makes timely patching for these versions even more critical, as future vulnerabilities may not receive security updates. Stakeholders are responsible for evaluating each asset’s internet exposure and ensuring strict adherence to patching guidelines.
Related content
CISA Adds Four Actively Exploited Vulnerabilities, Including SonicWall and Microsoft…
AdvisoryActively Exploited Zero-Days in Microsoft SharePoint and AD FS Demand Immediate Patching
AdvisoryCISA Adds Actively Exploited SharePoint RCE (CVE-2026-45659) to KEV Catalog
AdvisoryCritical SharePoint RCE (CVE-2026-58644) Actively Exploited – Immediate Action Required
Found something similar in your stack?
Let's find out before it becomes an incident.
Book an advisory call