CISA has confirmed active exploitation of three on-premises SharePoint Server vulnerabilities with no available mitigation beyond patching. For UK organisations still running self-hosted farms, this is a stop-what-you're-doing moment — vulnerability management solutions need to move from monthly cadence to hours.
View the data behind this chart
| Internet-exposed… | Unpatched vs two active… | |
|---|---|---|
| Servers | servers10000 | servers800 |
What CISA actually confirmed
The US Cybersecurity and Infrastructure Security Agency issued an advisory on Tuesday warning that attackers are exploiting three flaws — CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164 — to compromise Internet-facing on-premises SharePoint Server deployments, according to BleepingComputer. All three affect every supported self-hosted SharePoint version, including the current SharePoint Server Subscription Edition, which runs on Microsoft's continuous update model. There is no configuration workaround: patching is the only route to safety.
Attackers chaining these bugs are bypassing authentication, achieving remote code execution, then harvesting Internet Information Services machine keys before installing persistence and malware — a sequence that gives them long-term access even after a server reboot.
Why UK buyers can't treat this as a US-only alert
CISA is a US agency, but SharePoint Server is deployed identically wherever it's hosted, and Shadowserver's Internet-wide scanning — cited in the advisory — currently counts nearly 10,000 exposed SharePoint servers globally, with over 800 still unpatched against two of the three actively exploited flaws. UK public sector bodies, legal firms, manufacturers and universities running legacy on-premises SharePoint farms sit inside that exposed population just as readily as US targets. Threat actors scanning the open internet for vulnerable endpoints don't check jurisdiction before they knock.
Two more patched flaws to watch
Microsoft also shipped fixes on Tuesday for CVE-2026-55040 and CVE-2026-58644, which CISA flagged as high-value targets for attackers even though neither is confirmed as exploited yet. UK teams patching the three active flaws should apply these two in the same maintenance window rather than treating them as lower priority — history shows SharePoint bugs move from 'patched, not yet exploited' to active exploitation within weeks.

CISA's hardening checklist for on-prem SharePoint
Beyond installing and verifying Microsoft's patches, CISA's advisory sets out a broader hardening programme that UK infrastructure teams should treat as a baseline, not an option, given the lack of any interim mitigation.
- •Apply the latest patches and independently verify successful installation on every farm member
- •Shorten patch cycles for SharePoint specifically, rather than waiting for the next scheduled window
- •Enable Windows AMSI integration for SharePoint web applications and rely on Microsoft Defender detections to spot compromise
- •Hunt for intrusion artefacts before rotating IIS machine keys — rotating keys without remediation first can mask an active compromise
- •Block external access to SharePoint Central Administration and restrict farm-to-database traffic to only what's required
- •Avoid direct internet exposure where possible, and where exposure is unavoidable, sit the server behind a Layer 7 reverse proxy or equivalent application-layer control
The pattern buyers should factor into their risk model
Since November 2021, CISA has added 11 separate Microsoft SharePoint vulnerabilities to its Known Exploited Vulnerabilities catalogue, and seven of those have gone on to be used in ransomware campaigns. CVE-2026-32201 was added on 14 April, CVE-2026-45659 on 1 July, and CVE-2026-56164 as recently as 14 July — with US federal agencies given only until 17 July to secure or disconnect affected servers under Binding Operational Directive 26-04. That compressed timeline reflects how quickly exploitation typically follows disclosure for this product, and it's the same clock UK organisations are running against, whether or not they're bound by a US directive.
For teams that can't patch fast enough on their own, this is exactly the scenario where third-party maintenance for your on-premises infrastructure and a tested incident response plan earn their keep — the gap between disclosure and exploitation is measured in days, not weeks.
What UK IT decision-makers should do this week
Confirm every SharePoint farm's patch level against Microsoft's July releases, prioritise Internet-facing servers first, and assume compromise where patching has lagged — that means checking for stolen IIS machine keys and unexpected persistence before rotating credentials. Where SharePoint sits inside a broader estate, this is also a prompt to review zero trust segmentation so a compromised web-facing server can't move laterally, and to lean on managed detection & response for out-of-hours monitoring while patches roll out. Organisations without a mature patching pipeline should treat this incident as the business case for investing in cyber security services and comprehensive IT services that keep on-premises platforms current by default, not by emergency.
