Three bugs are under active attack, and two more critical holes could add to the pain

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged all organizations running SharePoint to harden their defenses after the disclosure of actively exploited vulnerabilities.The warning applies to those running any supported version of SharePoint Server on-prem, with three vulnerabilities of particular interest cited.A spoofing bug, CVE-2026-32201 (6.5), was the first to be mentioned. Microsoft disclosed it in March and CISA confirmed it was being actively exploited in June.

Additionally, CISA appears concerned by CVE-2026-45659 (8.8) – a remote code execution (RCE) flaw made public in June and confirmed as being actively used in attacks last week after Microsoft said exploitation was "less likely."

The most recent of the three, CVE-2026-56164 (5.3), a privilege escalation flaw, was one of the 622 bugs that featured in this month's record Patch Tuesday.CISA also picked out two more critical bugs, both from the latest Patch Tuesday, as ones that could potentially complicate SharePoint security further. Neither CVE-2026-55040 (9.1) nor CVE-2026-58644 (9.8) is being actively exploited to date, although Microsoft has attached the "Exploitation More Likely" label to both.CISA said the three exploited vulnerabilities are associated with post-exploitation activity, including the theft of Internet Information Services (IIS) machine keys and deserialization techniques, both in an effort to gain persistence and deploy malware.