{"id":8790,"date":"2026-07-16T12:06:13","date_gmt":"2026-07-16T12:06:13","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8790"},"modified":"2026-07-16T12:06:13","modified_gmt":"2026-07-16T12:06:13","slug":"cisa-urges-immediate-sharepoint-hardening-as-exploits-mount","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8790","title":{"rendered":"CISA urges immediate SharePoint hardening as exploits mount"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p class=\"wp-block-paragraph\">The US Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to immediately secure Microsoft SharePoint deployments after warning that three vulnerabilities affecting the on-premises collaboration platform are being actively exploited.<\/p>\n<p class=\"wp-block-paragraph\">A recent <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2026\/07\/14\/cisa-urges-sharepoint-hardening-after-new-exploitations\" target=\"_blank\" rel=\"noopener\">advisory<\/a> from the federal cybersecurity watchdog asked administrators to patch vulnerable servers, review Microsoft\u2019s mitigation guidance, and assume that internet-facing SharePoint instances remain attractive targets for attackers seeking an initial foothold into enterprise environments.<\/p>\n<p class=\"wp-block-paragraph\">While applying patches remains the immediate priority, security experts caution that organizations should view the advisory as more than another <a href=\"https:\/\/www.csoonline.com\/article\/4196940\/patch-tuesday-roundup-microsoft-fixes-a-monthly-record-569-holes-sap-patches-a-critical-memory-corruption-bug.html\">Patch Tuesday<\/a> exercise.<\/p>\n<p class=\"wp-block-paragraph\">\u201cThis is what separates an IT incident from a business crisis,\u201d said <a href=\"https:\/\/www.linkedin.com\/in\/chrisboehmii\/\" target=\"_blank\" rel=\"noopener\">Chris Boehm<\/a>, field CTO at Zero Networks. \u201cOne compromised SharePoint box is a ticket. That same box, with a clear path to your domain controllers, backups, and file shares, is how you end up with an encrypted infrastructure and a disclosure event. Segmentation stops the first from becoming the second.\u201d<\/p>\n<p class=\"wp-block-paragraph\">CISA\u2019s advisory highlights <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-32201\" target=\"_blank\" rel=\"noopener\">CVE-2026-332201<\/a>, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-45659\" target=\"_blank\" rel=\"noopener\">CVE-2026-45659<\/a>, and the newly added <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-56164\" target=\"_blank\" rel=\"noopener\">CVE-2026-56164<\/a>, all of which have now been confirmed as exploited in the wild and added to the agency\u2019s Known Exploited Vulnerabilities (<a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" target=\"_blank\" rel=\"noopener\">KEV<\/a>) catalog.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Exploitation tells a different severity story<\/h2>\n<p class=\"wp-block-paragraph\">The latest addition to CISA\u2019s KEV catalog is CVE-2026-56164, an elevation-of-privilege vulnerability affecting Microsoft SharePoint Server. Although assigned a CVSS score of 5.3, the flaw can be exploited remotely without authentication, making it significantly more dangerous in practice than its severity rating alone suggests.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft has released security updates for supported SharePoint versions and recommended enabling the Antimalware Scan Interface (AMSI) integration to help detect malicious requests associated with exploitation attempts.<\/p>\n<p class=\"wp-block-paragraph\">CISA also advised organizations to follow Microsoft\u2019s incident response <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-56164\" target=\"_blank\" rel=\"noopener\">guidance<\/a>, hunt for indicators of compromise, and rotate SharePoint machine keys where appropriate, acknowledging that patching alone may not fully remove attacker persistence from already compromised servers.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Older vulnerabilities remain active entry points<\/h2>\n<p class=\"wp-block-paragraph\">Alongside the newly disclosed flaw, CISA reiterated the urgency of addressing CVE-2026-45659, an insecure deserialization vulnerability allowing RCE that Microsoft had marked as \u201cexploitation less likely\u201d in its <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-45659\" target=\"_blank\" rel=\"noopener\">advisory<\/a> in May. Another old bug CISA flagged is CVE-2026-32201, an improper input validation flaw that allows spoofing over a network.<\/p>\n<p class=\"wp-block-paragraph\">Both of these flaws are being actively exploited in the wild.<\/p>\n<p class=\"wp-block-paragraph\">CISA called out organizations failing to catch up with SharePoint updates, adding that attackers are increasingly targeting N-days rather than relying exclusively on newly discovered zero-days.<\/p>\n<p class=\"wp-block-paragraph\">On concerns of patching speed, Boehm noted resilience is becoming an architectural challenge as much as an operational one.<\/p>\n<p class=\"wp-block-paragraph\">\u201cStop measuring this in patch speed,\u201d he said. \u201cThat\u2019s a race you eventually lose. Some of these landed as zero-days with no fix on day one, and the window between disclosure and exploitation keeps shrinking. So the board-level question isn\u2019t whether a server gets compromised. Assume one will. It\u2019s how much of the business a single-owned system can take down with it.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Boehm argued that limiting network reachability through segmentation should sit alongside patch management and threat hunting as a core defensive strategy. Reachability, he said, is a control that organizations own, not patch timing. CISA has given Federal Civilian Executive Branch (FCEB) agencies three days to remediate CVE-2026-56164 under Binding Operational Directive (<a href=\"https:\/\/www.csoonline.com\/article\/4183750\/cisa-tells-agencies-to-patch-smarter-not-harder-foreshadowing-broader-industry-practice.html\">BOD)<\/a> 22-01.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The US Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to immediately secure Microsoft SharePoint deployments after warning that three vulnerabilities affecting the on-premises collaboration platform are being actively exploited. A recent advisory from the federal cybersecurity watchdog asked administrators to patch vulnerable servers, review Microsoft\u2019s mitigation guidance, and assume that internet-facing SharePoint instances [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8791,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8790","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8790"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8790"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8790\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8791"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}