Full Report
Three bugs are under active attack, and two more critical holes could add to the pain
Analysis Summary
Based on the technical report provided, here is the summary of the SharePoint vulnerabilities currently under active exploitation and federal alert.
---
# Vulnerability: Critical SharePoint RCE and Post-Exploitation Chain
## CVE Details
*Note: This report covers a cluster of five vulnerabilities identified by CISA.*
**Actively Exploited:**
- **CVE ID:** CVE-2026-45659 | **CVSS Score:** 8.8 (High) | **Type:** Remote Code Execution
- **CVE ID:** CVE-2026-32201 | **CVSS Score:** 6.5 (Medium) | **Type:** Spoofing
- **CVE ID:** CVE-2026-56164 | **CVSS Score:** 5.3 (Medium) | **Type:** Privilege Escalation
**High-Risk (Exploitation More Likely):**
- **CVE ID:** CVE-2026-58644 | **CVSS Score:** 9.8 (Critical) | **Type:** Unspecified RCE
- **CVE ID:** CVE-2026-55040 | **CVSS Score:** 9.1 (Critical) | **Type:** Unspecified RCE
## Affected Systems
- **Products:** Microsoft SharePoint Server
- **Versions:** All supported on-premises versions.
- **Configurations:** Systems where Antimalware Scan Interface (AMSI) is disabled or where Internet Information Services (IIS) machine keys are standard/unrotated.
## Vulnerability Description
The primary threat involves a chain of vulnerabilities used for post-exploitation persistence. Attackers are leveraging RCE (CVE-2026-45659) and spoofing bugs to gain initial access. Once inside, they utilize **deserialization techniques** and the **theft of IIS machine keys**. By obtaining these keys, threat agents can forge authentication cookies, maintain long-term persistence, and deploy secondary malware payloads or ransomware (specifically referenced: Warlock ransomware).
## Exploitation
- **Status:** **Exploited in the wild** (CVE-2026-45659, CVE-2026-32201, CVE-2026-56164).
- **Complexity:** Low to Medium.
- **Attack Vector:** Network.
- **Attribution:** Historically linked to Chinese nation-state actors (ToolShell vulnerabilities).
## Impact
- **Confidentiality:** High (Theft of sensitive data and machine keys).
- **Integrity:** High (Modification of system files and deployment of ransomware).
- **Availability:** High (Potential for full system lockout via ransomware).
## Remediation
### Patches
- Apply the latest **Microsoft Security Updates** (July 2026 and prior).
- Ensure all SharePoint servers are updated to the latest cumulative update (CU) for their respective versions.
### Workarounds
- **Disable External Access:** Block external internet access to **SharePoint Central Administration**.
- **Network Segmentation:** Avoid exposing SharePoint to the web unless strictly necessary.
- **Rotate Keys:** Rotate IIS machine keys *after* verifying the environment is clean.
## Detection
- **AMSI Integration:** Verify that **Antimalware Scan Interface (AMSI)** integration is enabled for every SharePoint web application.
- **Log Analysis:** Implement tailored logging to detect deserialization attempts and unauthorized access to IIS configuration files.
- **Threat Hunting:** Search for indicators of compromise (IoCs) related to machine key theft and unauthorized privilege escalation before applying patches, as attackers may already have persistence.
## References
- CISA Alert (July 2026): hxxps[://]www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations
- Microsoft Security Blog: hxxps[://]www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
- CISA Hardening Guidance: hxxps[://]www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities
---