Ethical Hacking News
US Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations running Microsoft's SharePoint platform about three actively exploited vulnerabilities that pose significant security risks. These vulnerabilities include a spoofing bug, a remote code execution flaw, and a privilege escalation flaw. CISA has urged all organizations to harden their defenses by applying the latest security patches and verifying that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about three actively exploited vulnerabilities in Microsoft's collaboration platform, SharePoint. The vulnerabilities pose significant security risks to organizations running any supported version of SharePoint Server on-prem. Two additional critical holes are also being highlighted for potential exploitation. CISA has identified a spoofing bug (CVE-2026-32201), a remote code execution flaw (CVE-2026-45659), and a privilege escalation flaw (CVE-2026-56164) as actively exploited vulnerabilities in SharePoint. Two additional critical vulnerabilities (CVE-2026-55040 and CVE-2026-58644) have not been actively exploited but are labeled as "Exploitation More Likely" by Microsoft. CISA has advised organizations to implement robust logging measures, rotate IIS keys regularly, block external access to SharePoint Central Administration, and enable Antimalware Scan Interface (AMSI) integration to mitigate the risks.
In a recent warning issued by the US Cybersecurity and Infrastructure Security Agency (CISA), three vulnerabilities have been identified as actively exploited in Microsoft's popular collaboration platform, SharePoint. These vulnerabilities pose significant security risks to organizations running any supported version of SharePoint Server on-prem, with two additional critical holes also being highlighted for potential exploitation.
According to CISA, the first vulnerability, CVE-2026-32201 (6.5), is a spoofing bug that was disclosed by Microsoft in March and confirmed as being actively exploited in June. This exploit allows attackers to bypass security controls and gain unauthorized access to sensitive data. The second vulnerability, CVE-2026-45659 (8.8), is a remote code execution (RCE) flaw that enables attackers to execute arbitrary code on the affected system.
The most recent of the three identified vulnerabilities, CVE-2026-56164 (5.3), is a privilege escalation flaw that allows attackers to elevate their privileges and gain access to sensitive data and systems. CISA has urged all organizations running SharePoint Server on-prem to harden their defenses by applying Microsoft's latest security patches and verifying that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application.
Additionally, CISA has also highlighted two other critical vulnerabilities, CVE-2026-55040 (9.1) and CVE-2026-58644 (9.8), both of which are from the latest Patch Tuesday and have not been actively exploited to date. However, Microsoft has attached the "Exploitation More Likely" label to both, indicating that they could potentially add to the security risks faced by organizations running SharePoint.
The CISA warning also notes that attackers are chaining together two previously disclosed vulnerabilities, CVE-2025-49706 (6.5) and CVE-2025-49704 (8.8), to break into SharePoint Servers and deploy Warlock ransomware in some cases. While CISA did not attribute the activity to any specific group or country, Microsoft had earlier noted that these ToolShell vulnerabilities were being exploited by Chinese nation-state crews.
To mitigate these risks, CISA has advised organizations to implement robust logging measures to detect potential exploits and rotate IIS keys regularly to avoid exposing SharePoint to the web unless necessary. It is also recommended that organizations block external access to SharePoint Central Administration and ensure that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application.
In conclusion, CISA's warning highlights the importance of timely patching and hardening defenses against actively exploited vulnerabilities in Microsoft's popular collaboration platform, SharePoint. Organizations running any supported version of SharePoint Server on-prem are urged to take immediate action to address these security risks and protect themselves against potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Sounds-Alarm-Over-Trio-of-Exploited-SharePoint-Flaws-ehn.shtml
https://www.theregister.com/security/2026/07/15/cisa-sounds-alarm-over-trio-of-exploited-sharepoint-flaws/5271814
https://nvd.nist.gov/vuln/detail/CVE-2025-49706
https://www.cvedetails.com/cve/CVE-2025-49706/
https://nvd.nist.gov/vuln/detail/CVE-2025-49704
https://www.cvedetails.com/cve/CVE-2025-49704/
https://nvd.nist.gov/vuln/detail/CVE-2026-32201
https://www.cvedetails.com/cve/CVE-2026-32201/
https://nvd.nist.gov/vuln/detail/CVE-2026-45659
https://www.cvedetails.com/cve/CVE-2026-45659/
https://nvd.nist.gov/vuln/detail/CVE-2026-56164
https://www.cvedetails.com/cve/CVE-2026-56164/
https://nvd.nist.gov/vuln/detail/CVE-2026-55040
https://www.cvedetails.com/cve/CVE-2026-55040/
https://nvd.nist.gov/vuln/detail/CVE-2026-58644
https://www.cvedetails.com/cve/CVE-2026-58644/
Published: Wed Jul 15 11:19:50 2026 by llama3.2 3B Q4_K_M