UK’s trusted IT infrastructure partner since 2003
Servnet
FinanceToolsConfiguratorGet in Touch
Cyber security

SharePoint Zero-Day CVE Patch 2026: Act Now, CISA Warns

London · Servnet News Desk · IT infrastructure analysis4 min read
Share

CISA has confirmed active exploitation of three SharePoint Server vulnerabilities, prompting an urgent hardening call to any organisation running on-premise or hybrid Microsoft collaboration platforms. For UK IT leaders still weighing vulnerability management services against internal patch cycles, this is a live-fire test of how fast that process actually moves.

CVSS severity across the five flagged SharePoint CVEs
10 CVSS8 CVSS5 CVSS3 CVSS0 CVSS6.5 CVSS322018.8 CVSS456595.3 CVSS561649.1 CVSS550409.8 CVSS58644CVSS Score
View the data behind this chart
CVSS severity across the five flagged SharePoint CVEs
3220145659561645504058644
CVSS ScoreCVSS6.5CVSS8.8CVSS5.3CVSS9.1CVSS9.8

What CISA has confirmed about the SharePoint flaws

The US Cybersecurity and Infrastructure Security Agency has told all organisations running any supported version of SharePoint Server on-premise to harden their environments immediately. Three vulnerabilities sit at the centre of the alert: CVE-2026-32201, a spoofing bug rated 6.5 that Microsoft first disclosed in March and which CISA confirmed was under active attack in June; CVE-2026-45659, an 8.8-rated remote code execution flaw made public in June that Microsoft initially judged "less likely" to be exploited before CISA confirmed real-world attacks last week; and CVE-2026-56164, a 5.3 privilege escalation bug that emerged as one of 622 vulnerabilities patched in this month's record-breaking Patch Tuesday.

CISA has not disclosed the specific evidence or telemetry that triggered the alert, nor attributed the activity to any named threat actor. That silence is itself notable — it suggests either an ongoing investigation or a desire to get patch guidance out before full forensic detail is ready to share.

Why hybrid and on-prem SharePoint estates are the exposed layer

Cloud-hosted SharePoint Online sits behind Microsoft's own patching cadence, but Server deployments kept on-premise for data residency, compliance, or legacy integration reasons are squarely in scope of this warning. Many UK public sector bodies, legal firms and regulated financial services organisations run exactly this configuration, often because migrating fully to the cloud has been judged too costly or too disruptive to core workflows.

That trade-off now carries a sharper edge. Firms weighing the long-term economics of keeping servers in-house versus shifting to managed cloud collaboration should revisit the numbers using a cloud vs on-premise TCO calculator — patching overhead and incident response cost are real line items that rarely make it into the original business case.

Post-exploitation tricks: IIS keys and deserialization

CISA links the three exploited flaws to a specific post-exploitation pattern: attackers stealing Internet Information Services (IIS) machine keys and using deserialization techniques to establish persistence and drop further malware. This is not smash-and-grab activity — it is designed to survive a reboot or a superficial clean-up, which is exactly why CISA's guidance stresses rotating IIS keys only after threat hunting has taken place, not before.

Skipping the hunt-before-rotate step risks masking evidence of a live intrusion rather than removing it. Teams without in-house forensic capacity should treat this as a trigger to lean on external managed detection & response support rather than attempting a quiet, unaided fix.

Two more critical bugs waiting for a trigger

Alongside the three actively exploited flaws, CISA separately flagged two additional vulnerabilities from the same record Patch Tuesday release: CVE-2026-55040, rated 9.1, and CVE-2026-58644, rated 9.8. Neither has confirmed exploitation yet, but Microsoft has attached its "Exploitation More Likely" label to both — a signal CISA is treating as a reason to patch pre-emptively rather than wait for evidence of attacks.

With a CVSS score of 9.8, CVE-2026-58644 is effectively as severe as a vulnerability rating gets. Leaving it unpatched on an internet-facing SharePoint farm is a gamble few UK risk committees should be willing to sign off on.

Illustration: SharePoint Zero-Day CVE Patch 2026: Act Now, CISA Warns

The ToolShell precedent UK teams shouldn't ignore

CISA has explicitly pointed defenders back to an August 2025 advisory covering the so-called "ToolShell" attack chain, in which CVE-2025-49706 (6.5) and CVE-2025-49704 (8.8) were combined to break into SharePoint Servers, in some cases deploying Warlock ransomware. Microsoft said as far back as July 2025 that Chinese nation-state actors were behind ToolShell exploitation, though CISA's newer alert makes no attribution of its own.

The repeat pattern — spoofing or lower-severity bugs chained with a higher-severity RCE to gain a foothold before ransomware deployment — is precisely the scenario that ransomware protection and layered zero trust controls are built to interrupt, even when a patch has been missed.

What UK admins should do this week

CISA's recommended actions are concrete and immediately actionable for any team running SharePoint Server on-premise or in a hybrid configuration:

  • Apply Microsoft's latest security patches covering all five flagged CVEs without delay
  • Confirm Antimalware Scan Interface (AMSI) integration is enabled for every SharePoint web application
  • Threat hunt for signs of prior intrusion before rotating IIS machine keys
  • Avoid exposing SharePoint to the public internet unless there is a clear operational need
  • Block external access to SharePoint Central Administration
  • Implement tailored, robust logging capable of surfacing exploitation attempts
From ToolShell to this month's SharePoint alert
W0W9W18W27W36W45W52ToolShell CISA alert (Aug…4wCVE-2026-32201 disclosed…4wActive exploitation…4wRecord 622-bug Patch…2wRCE exploitation confirmed2wTotal: 52 weeks end-to-end
View the data behind this chart
From ToolShell to this month's SharePoint alert
PhaseStarts (week)Duration (weeks)
ToolShell CISA alert (Aug…04
CVE-2026-32201 disclosed…304
Active exploitation…434
Record 622-bug Patch Tuesday472
RCE exploitation confirmed502

The bigger procurement lesson

A record 622-bug Patch Tuesday landing in the same month as three confirmed SharePoint exploits is a reminder that patch volume alone can overwhelm under-resourced teams, regardless of intent. Organisations still running out-of-support hardware or stretched thin on patch cadence should look at third-party maintenance arrangements to keep coverage current, and revisit their broader cybersecurity solutions stack to ensure detection doesn't rely solely on patching discipline. For teams still building out a formal process, our guide on what is patch management is a useful starting point before the next record-breaking update lands.

Share
Key takeaways
  • CISA has confirmed active exploitation of three SharePoint Server flaws: CVE-2026-32201 (6.5), CVE-2026-45659 (8.8) and CVE-2026-56164 (5.3)
  • Two further critical bugs, CVE-2026-55040 (9.1) and CVE-2026-58644 (9.8), are unexploited so far but flagged as "Exploitation More Likely" by Microsoft
  • Attackers are using stolen IIS machine keys and deserialization techniques to gain persistence — rotate keys only after threat hunting
  • The pattern echoes 2025's ToolShell attack chain, which was used to deploy Warlock ransomware against unpatched SharePoint Servers
Frequently asked

FAQs — SharePoint Zero-Day CVE Patch 2026

Which SharePoint versions are affected by these zero-days?

CISA's warning applies to any supported version of SharePoint Server running on-premise; SharePoint Online is not the focus of this specific alert.

Are all three flagged CVEs confirmed as actively exploited?

Yes — CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164 are all confirmed by CISA as under active attack, while CVE-2026-55040 and CVE-2026-58644 are not yet confirmed exploited despite their higher CVSS scores.

What should we do before rotating IIS machine keys?

CISA advises threat hunting for signs of intrusion first, since rotating keys before checking for compromise can erase evidence attackers left behind while trying to maintain persistence.

Is this linked to last year's SharePoint ransomware attacks?

CISA has pointed defenders back to its August 2025 advisory on the ToolShell attack chain, which combined CVE-2025-49706 and CVE-2025-49704 to deploy Warlock ransomware, though it has not attributed this new activity to the same actors.

Related

Turning this into a buying decision?

One conversation with an engineer who's specced this before. No sales script.

Talk to Servnet →

Talk to a UK specialist

Get expert advice or a no-obligation quote — servers, storage, networking, maintenance, finance and cloud. We reply the same working day.

or call 0800 987 4111