CISA has confirmed active exploitation of three SharePoint Server vulnerabilities, prompting an urgent hardening call to any organisation running on-premise or hybrid Microsoft collaboration platforms. For UK IT leaders still weighing vulnerability management services against internal patch cycles, this is a live-fire test of how fast that process actually moves.
View the data behind this chart
| 32201 | 45659 | 56164 | 55040 | 58644 | |
|---|---|---|---|---|---|
| CVSS Score | CVSS6.5 | CVSS8.8 | CVSS5.3 | CVSS9.1 | CVSS9.8 |
What CISA has confirmed about the SharePoint flaws
The US Cybersecurity and Infrastructure Security Agency has told all organisations running any supported version of SharePoint Server on-premise to harden their environments immediately. Three vulnerabilities sit at the centre of the alert: CVE-2026-32201, a spoofing bug rated 6.5 that Microsoft first disclosed in March and which CISA confirmed was under active attack in June; CVE-2026-45659, an 8.8-rated remote code execution flaw made public in June that Microsoft initially judged "less likely" to be exploited before CISA confirmed real-world attacks last week; and CVE-2026-56164, a 5.3 privilege escalation bug that emerged as one of 622 vulnerabilities patched in this month's record-breaking Patch Tuesday.
CISA has not disclosed the specific evidence or telemetry that triggered the alert, nor attributed the activity to any named threat actor. That silence is itself notable — it suggests either an ongoing investigation or a desire to get patch guidance out before full forensic detail is ready to share.
Why hybrid and on-prem SharePoint estates are the exposed layer
Cloud-hosted SharePoint Online sits behind Microsoft's own patching cadence, but Server deployments kept on-premise for data residency, compliance, or legacy integration reasons are squarely in scope of this warning. Many UK public sector bodies, legal firms and regulated financial services organisations run exactly this configuration, often because migrating fully to the cloud has been judged too costly or too disruptive to core workflows.
That trade-off now carries a sharper edge. Firms weighing the long-term economics of keeping servers in-house versus shifting to managed cloud collaboration should revisit the numbers using a cloud vs on-premise TCO calculator — patching overhead and incident response cost are real line items that rarely make it into the original business case.
Post-exploitation tricks: IIS keys and deserialization
CISA links the three exploited flaws to a specific post-exploitation pattern: attackers stealing Internet Information Services (IIS) machine keys and using deserialization techniques to establish persistence and drop further malware. This is not smash-and-grab activity — it is designed to survive a reboot or a superficial clean-up, which is exactly why CISA's guidance stresses rotating IIS keys only after threat hunting has taken place, not before.
Skipping the hunt-before-rotate step risks masking evidence of a live intrusion rather than removing it. Teams without in-house forensic capacity should treat this as a trigger to lean on external managed detection & response support rather than attempting a quiet, unaided fix.
Two more critical bugs waiting for a trigger
Alongside the three actively exploited flaws, CISA separately flagged two additional vulnerabilities from the same record Patch Tuesday release: CVE-2026-55040, rated 9.1, and CVE-2026-58644, rated 9.8. Neither has confirmed exploitation yet, but Microsoft has attached its "Exploitation More Likely" label to both — a signal CISA is treating as a reason to patch pre-emptively rather than wait for evidence of attacks.
With a CVSS score of 9.8, CVE-2026-58644 is effectively as severe as a vulnerability rating gets. Leaving it unpatched on an internet-facing SharePoint farm is a gamble few UK risk committees should be willing to sign off on.

The ToolShell precedent UK teams shouldn't ignore
CISA has explicitly pointed defenders back to an August 2025 advisory covering the so-called "ToolShell" attack chain, in which CVE-2025-49706 (6.5) and CVE-2025-49704 (8.8) were combined to break into SharePoint Servers, in some cases deploying Warlock ransomware. Microsoft said as far back as July 2025 that Chinese nation-state actors were behind ToolShell exploitation, though CISA's newer alert makes no attribution of its own.
The repeat pattern — spoofing or lower-severity bugs chained with a higher-severity RCE to gain a foothold before ransomware deployment — is precisely the scenario that ransomware protection and layered zero trust controls are built to interrupt, even when a patch has been missed.
What UK admins should do this week
CISA's recommended actions are concrete and immediately actionable for any team running SharePoint Server on-premise or in a hybrid configuration:
- •Apply Microsoft's latest security patches covering all five flagged CVEs without delay
- •Confirm Antimalware Scan Interface (AMSI) integration is enabled for every SharePoint web application
- •Threat hunt for signs of prior intrusion before rotating IIS machine keys
- •Avoid exposing SharePoint to the public internet unless there is a clear operational need
- •Block external access to SharePoint Central Administration
- •Implement tailored, robust logging capable of surfacing exploitation attempts
View the data behind this chart
| Phase | Starts (week) | Duration (weeks) |
|---|---|---|
| ToolShell CISA alert (Aug… | 0 | 4 |
| CVE-2026-32201 disclosed… | 30 | 4 |
| Active exploitation… | 43 | 4 |
| Record 622-bug Patch Tuesday | 47 | 2 |
| RCE exploitation confirmed | 50 | 2 |
The bigger procurement lesson
A record 622-bug Patch Tuesday landing in the same month as three confirmed SharePoint exploits is a reminder that patch volume alone can overwhelm under-resourced teams, regardless of intent. Organisations still running out-of-support hardware or stretched thin on patch cadence should look at third-party maintenance arrangements to keep coverage current, and revisit their broader cybersecurity solutions stack to ensure detection doesn't rely solely on patching discipline. For teams still building out a formal process, our guide on what is patch management is a useful starting point before the next record-breaking update lands.
