The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that attackers are actively exploiting multiple vulnerabilities affecting internet-facing on-premises Microsoft SharePoint Server deployments, prompting an urgent call for organizations to secure exposed systems.
The agency said the flaws affect supported on-premises versions of SharePoint Server and are being used to bypass authentication, execute malicious code remotely, and establish persistence in compromised environments. Alongside the actively exploited vulnerabilities, Microsoft has also patched two additional SharePoint flaws that CISA believes could become attractive targets for attackers.
The warning comes as CISA continues to expand its Known Exploited Vulnerabilities (KEV) Catalog, having identified 11 Microsoft SharePoint vulnerabilities exploited in real-world attacks since late 2021. The latest alert underscores the ongoing security risks facing organizations that continue to operate internet-exposed on-premises collaboration platforms and sets the stage for more urgent remediation efforts.
Active Exploitation Prompts Immediate Patching
CISA said attackers are exploiting three vulnerabilities, tracked as CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, against self-hosted SharePoint Server deployments, including SharePoint Server Subscription Edition.
According to the agency, successful exploitation allows attackers to bypass authentication, achieve remote code execution, steal Internet Information Services (IIS) machine keys, and establish persistence that can later be used to deploy malware or conduct additional post-compromise activity.
The warning follows Microsoftβs latest Patch Tuesday updates, which also addressed two further SharePoint vulnerabilities, CVE-2026-55040 and CVE-2026-58644. Although those flaws are not currently known to have been exploited in the wild, Microsoft has identified them as likely targets for future attacks.
Internet security monitoring organization Shadowserver currently tracks nearly 10,000 internet-exposed Microsoft SharePoint servers, with more than 800 reportedly remaining unpatched against two of the actively exploited vulnerabilities. CISA has urged organizations to apply Microsoftβs latest security updates, verify that patches have been installed successfully, reduce patch deployment timelines, and enable additional protections such as Windows Antimalware Scan Interface (AMSI) integration and Microsoft Defender Antivirus detections.
AI Is Raising the Pressure on Vulnerability Remediation
The latest warning arrives as CISA continues to shorten the window organizations have to respond to critical cyber threats. Earlier this month, the agency reduced the deadline for US federal agencies to remediate serious vulnerabilities to just three days under its updated Binding Operational Directive, reflecting what it describes as an increasingly aggressive threat landscape accelerated by AI.
For the newest SharePoint vulnerability, federal agencies have until July 17 to either secure affected systems or remove them from service if mitigations cannot be applied. The compressed timeline reflects growing concern that attackers are rapidly weaponizing newly disclosed vulnerabilities, leaving defenders with increasingly little time to respond.
Rob Babb, Exposure Management Strategist at Seemplicity, said organizations are no longer struggling to identify vulnerabilities but instead face a race to remediate them before attackers can exploit them.
βNone of this is a detection problem anymore. Itβs a βhow fast can you get from known to fixedβ problem.β
His comments reinforce a broader shift across enterprise security, where exposure management has become increasingly focused on reducing the time between vulnerability disclosure and remediation rather than simply expanding visibility into security risks, especially as advances in AI mean attackers can detect weak spots much faster.
Hardening SharePoint Will Remain a Priority
Beyond installing patches, CISA is urging organizations to review the overall security posture of their SharePoint environments. Recommended measures include monitoring servers for signs of compromise, investigating and removing intrusion artifacts before rotating IIS machine keys, and implementing tailored logging to detect suspicious activity.
The agency also advises against exposing SharePoint servers directly to the public internet wherever possible. Where external access is required, organizations should place systems behind Layer 7 reverse proxies or comparable application-layer security controls while restricting communication between SharePoint farms and databases to only essential systems.
The latest guidance also highlights the importance of protecting SharePoint Central Administration by blocking external access and following Microsoftβs broader SharePoint security hardening recommendations. These defensive measures are intended to reduce opportunities for attackers even after vulnerabilities have been patched.
With attackers continuing to target widely deployed enterprise collaboration platforms, the SharePoint vulnerabilities are another reminder that organizations must combine rapid remediation with stronger hardening practices to stay ahead of evolving threats as AI enables faster discovery and weaponization of security flaws.