Full Report
AL26-017 - Critical vulnerabilities impacting Microsoft SharePoint Server – CVE-2026-56164, CVE-2026-55040 and CVE-2026-58644
Analysis Summary
# Vulnerability: Critical Remote Code Execution and Privilege Escalation in Microsoft SharePoint Server
## CVE Details
- **CVE ID:** CVE-2026-56164 (Elevation of Privilege), CVE-2026-55040 (Security Feature Bypass), CVE-2026-58644 (Remote Code Execution)
- **CVSS Score:** Not explicitly listed in text, but categorized as **Critical**.
- **CWE:**
- CVE-2026-56164: CWE-306 (Missing Authentication for Critical Function)
- CVE-2026-55040: CWE-1390 (Weak Authentication)
- CVE-2026-58644: CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** Microsoft SharePoint Server
- **Versions:**
- SharePoint Enterprise Server 2016: Versions prior to 16.0.5561.1001
- SharePoint Server 2019: Versions prior to 16.0.10417.20175
- SharePoint Server Subscription Edition: Versions prior to 16.0.19725.20434
- **Configurations:** On-premises instances, particularly those exposed to the internet.
## Vulnerability Description
This advisory covers three distinct critical flaws:
1. **CVE-2026-56164:** A failure to require authentication for critical functions allows a remote attacker to elevate their privileges within the SharePoint environment.
2. **CVE-2026-55040:** Weaknesses in the authentication mechanism allow an unauthorized network attacker to bypass established security features.
3. **CVE-2026-58644:** A remote code execution (RCE) flaw stemming from the insecure deserialization of untrusted data. An unauthenticated attacker can exploit this over the network to execute arbitrary code on the server.
## Exploitation
- **Status:** **Exploited in the wild.** (CVE-2026-56164 is listed in the CISA KEV catalog).
- **Complexity:** Not specified (assumed Low based on exploit status).
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
Apply the following security updates (or newer):
- **SharePoint Enterprise Server 2016:** 16.0.5561.1001
- **SharePoint Server 2019:** 16.0.10417.20175
- **SharePoint Server SE:** 16.0.19725.20434
### Workarounds
- **Network Isolation:** Restrict or eliminate direct internet exposure of SharePoint servers.
- **Access Control:** Limit access to SharePoint Central Administration and other management interfaces to trusted internal IPs.
- **Hardening:** Enable Antimalware Scan Interface (AMSI) integration and configure "AMSI Request Body Scan Mode" to **Full Mode**.
## Detection
- **Indicators of Compromise:**
- Unexpected privilege escalation activity.
- Presence of web shells on SharePoint server directories.
- Indicators of machine key theft.
- Unauthorized authentication attempts in IIS logs.
- **Detection Methods:** Monitor for suspicious IIS worker process activity and unusual outbound network connections from the SharePoint host.
## References
- **Vendor Advisory:** [hxxps://msrc.microsoft[.]com/update-guide/vulnerability]
- **Cyber Centre Alerts:**
- [hxxps://www.cyber.gc[.]ca/en/alerts-advisories/al26-017-critical-vulnerabilities-impacting-microsoft-sharepoint-server]
- [hxxps://www.cyber.gc[.]ca/en/alerts-advisories/av26-698]
- **CISA KEV:** [hxxps://www.cisa[.]gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-56164]