CISA Issues Urgent Warning: Hackers Actively Exploiting Critical SharePoint Flaws

Context mode is active. Hover over any highlighted term to see its definition. Click a nested term to go deeper.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning this week, highlighting that several serious vulnerabilities in Microsoft SharePoint Server are being actively exploited by hackers. This isn't just a heads-up; it's an urgent call for organizations, especially those with internet-facing SharePoint systems, to act fast. Attackers are using these flaws to gain deep access, steal important data, and deploy malicious software. At the heart of CISA alert are specific vulnerabilities, including CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, and the newly confirmed actively exploited CVE-2026-58644, which carries a critical severity score of 9.8. These flaws enable everything from bypassing login screens to taking full control of a server and stealing sensitive 'Internet Information Services (IIS) machine keys.' The ongoing exploitation means that even with Microsoft's record-breaking July 2026 Patch Tuesday, some risks, like those from chained exploits involving CVE-2026-55040, won't be fully resolved until August. Organizations need to treat this as an emergency. CISA has given federal agencies until July 19 to patch the most critical of these flaws under its Binding Operational Directive (BOD) 26-04. Beyond patching, administrators must enable Microsoft's Antimalware Scan Interface (AMSI) for SharePoint, rotate IIS machine keys, and actively hunt for any signs of intrusion. Failure to address these exploited vulnerabilities quickly could lead to significant data breaches and broader network compromises, making SharePoint an open door to entire enterprise systems.