The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Tuesday that attackers are actively exploiting three vulnerabilities to hack Internet-exposed on-premises SharePoint Server instances.
These security flaws (tracked as CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164) affect all supported self-hosted SharePoint Server versions, including SharePoint Server Subscription Edition (the latest on-premises version, which uses a "continuous update" model).
As detailed in a Tuesday advisory, attackers are exploiting these vulnerabilities to bypass authentication, gain remote code execution, and carry out post-exploitation activity, including stealing Internet Information Services machine keys and gaining persistence to deploy malware on compromised systems.
The U.S. cybersecurity agency also flagged two more SharePoint Server vulnerabilities (CVE-2026-55040 and CVE-2026-58644), which Microsoft patched on Tuesday and tagged as attractive targets for attackers, although they are not yet known to have been exploited in the wild.
Internet security watchdog group Shadowserver currently tracks nearly 10,000 Internet-exposed Microsoft SharePoint servers, with over 800 of them unpatched against the CVE-2026-32201 and CVE-2026-45659 vulnerabilities.






