UK’s trusted IT infrastructure partner since 2003
Servnet
FinanceToolsConfiguratorGet in Touch
Cyber security

SharePoint Zero-Day Patch 2026: CISA Alert for UK Admins

London · Servnet News Desk · IT infrastructure analysis3 min read
Share

CISA has confirmed active exploitation of three on-premises SharePoint Server vulnerabilities with no available mitigation beyond patching. For UK organisations still running self-hosted farms, this is a stop-what-you're-doing moment — vulnerability management solutions need to move from monthly cadence to hours.

Exposed SharePoint servers vs unpatched instances
10000 servers7500 servers5000 servers2500 servers0 servers10000 serversInternet-exposed…800 serversUnpatched vs two active…Servers
View the data behind this chart
Exposed SharePoint servers vs unpatched instances
Internet-exposed…Unpatched vs two active…
Serversservers10000servers800

What CISA actually confirmed

The US Cybersecurity and Infrastructure Security Agency issued an advisory on Tuesday warning that attackers are exploiting three flaws — CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164 — to compromise Internet-facing on-premises SharePoint Server deployments, according to BleepingComputer. All three affect every supported self-hosted SharePoint version, including the current SharePoint Server Subscription Edition, which runs on Microsoft's continuous update model. There is no configuration workaround: patching is the only route to safety.

Attackers chaining these bugs are bypassing authentication, achieving remote code execution, then harvesting Internet Information Services machine keys before installing persistence and malware — a sequence that gives them long-term access even after a server reboot.

Why UK buyers can't treat this as a US-only alert

CISA is a US agency, but SharePoint Server is deployed identically wherever it's hosted, and Shadowserver's Internet-wide scanning — cited in the advisory — currently counts nearly 10,000 exposed SharePoint servers globally, with over 800 still unpatched against two of the three actively exploited flaws. UK public sector bodies, legal firms, manufacturers and universities running legacy on-premises SharePoint farms sit inside that exposed population just as readily as US targets. Threat actors scanning the open internet for vulnerable endpoints don't check jurisdiction before they knock.

Two more patched flaws to watch

Microsoft also shipped fixes on Tuesday for CVE-2026-55040 and CVE-2026-58644, which CISA flagged as high-value targets for attackers even though neither is confirmed as exploited yet. UK teams patching the three active flaws should apply these two in the same maintenance window rather than treating them as lower priority — history shows SharePoint bugs move from 'patched, not yet exploited' to active exploitation within weeks.

Illustration: SharePoint Zero-Day Patch 2026: CISA Alert for UK Admins

CISA's hardening checklist for on-prem SharePoint

Beyond installing and verifying Microsoft's patches, CISA's advisory sets out a broader hardening programme that UK infrastructure teams should treat as a baseline, not an option, given the lack of any interim mitigation.

  • Apply the latest patches and independently verify successful installation on every farm member
  • Shorten patch cycles for SharePoint specifically, rather than waiting for the next scheduled window
  • Enable Windows AMSI integration for SharePoint web applications and rely on Microsoft Defender detections to spot compromise
  • Hunt for intrusion artefacts before rotating IIS machine keys — rotating keys without remediation first can mask an active compromise
  • Block external access to SharePoint Central Administration and restrict farm-to-database traffic to only what's required
  • Avoid direct internet exposure where possible, and where exposure is unavoidable, sit the server behind a Layer 7 reverse proxy or equivalent application-layer control

The pattern buyers should factor into their risk model

Since November 2021, CISA has added 11 separate Microsoft SharePoint vulnerabilities to its Known Exploited Vulnerabilities catalogue, and seven of those have gone on to be used in ransomware campaigns. CVE-2026-32201 was added on 14 April, CVE-2026-45659 on 1 July, and CVE-2026-56164 as recently as 14 July — with US federal agencies given only until 17 July to secure or disconnect affected servers under Binding Operational Directive 26-04. That compressed timeline reflects how quickly exploitation typically follows disclosure for this product, and it's the same clock UK organisations are running against, whether or not they're bound by a US directive.

For teams that can't patch fast enough on their own, this is exactly the scenario where third-party maintenance for your on-premises infrastructure and a tested incident response plan earn their keep — the gap between disclosure and exploitation is measured in days, not weeks.

What UK IT decision-makers should do this week

Confirm every SharePoint farm's patch level against Microsoft's July releases, prioritise Internet-facing servers first, and assume compromise where patching has lagged — that means checking for stolen IIS machine keys and unexpected persistence before rotating credentials. Where SharePoint sits inside a broader estate, this is also a prompt to review zero trust segmentation so a compromised web-facing server can't move laterally, and to lean on managed detection & response for out-of-hours monitoring while patches roll out. Organisations without a mature patching pipeline should treat this incident as the business case for investing in cyber security services and comprehensive IT services that keep on-premises platforms current by default, not by emergency.

Share
Key takeaways
  • Three CVEs — CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164 — are being actively exploited against on-premises SharePoint Server with no mitigation beyond patching
  • Nearly 10,000 SharePoint servers are exposed to the Internet globally, with over 800 unpatched against two of the three active flaws
  • Two additional CVEs, CVE-2026-55040 and CVE-2026-58644, were patched the same day and flagged as likely future exploitation targets
  • SharePoint has produced 11 exploited CVEs since 2021, seven of which led to ransomware — patch cycles need to shorten permanently, not just this week
Frequently asked

FAQs — SharePoint Zero-Day Patch 2026

Which SharePoint vulnerabilities are being actively exploited in July 2026?

CISA confirmed active exploitation of CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164, all affecting supported on-premises SharePoint Server versions including SharePoint Server Subscription Edition.

Is there a mitigation if we can't patch immediately?

CISA's advisory offers hardening steps — blocking external access to Central Administration, enabling AMSI and Defender detections, and using a Layer 7 reverse proxy — but there is no substitute mitigation for the patches themselves, according to the advisory.

Does this affect UK organisations even though CISA is a US agency?

Yes. Shadowserver's global scanning shows exposed SharePoint servers everywhere, and exploitation isn't geographically limited — any Internet-facing on-premises SharePoint instance is at risk regardless of jurisdiction.

Should we worry about the two newly patched, non-exploited CVEs too?

CISA flagged CVE-2026-55040 and CVE-2026-58644 as attractive targets for attackers even though exploitation hasn't been confirmed yet, so patching them alongside the three active flaws is strongly advised.

Related

Turning this into a buying decision?

One conversation with an engineer who's specced this before. No sales script.

Talk to Servnet →

Talk to a UK specialist

Get expert advice or a no-obligation quote — servers, storage, networking, maintenance, finance and cloud. We reply the same working day.

or call 0800 987 4111