```html ``` CISA Says Three SharePoint Flaws Are Being Chained Right Now. We Wrote the Hunt for One of Them in May.
top of page

CISA Says Three SharePoint Flaws Are Being Chained Right Now. We Wrote the Hunt for One of Them in May.

  • Writer: Patrick Duggan
    Patrick Duggan
  • a few seconds ago
  • 4 min read

On July 14, CISA did two things about Microsoft SharePoint on the same day. It added CVE-2026-56164 to the Known Exploited Vulnerabilities catalog, and it published a hardening advisory warning that on-premises SharePoint Server is under active attack. The advisory is the more important of the two, because it names not one flaw but three, and it says they are being used together.


The three are CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. CISA added them to KEV on three different dates — April 14, July 1, and July 14. That staggered timeline is the tell. This is not one disclosure that everyone piled onto. It is a campaign that has been evolving against the same product for three months, picking up a new flaw each time the last one got harder to use.


We have a receipt on the first one.



What We Said in May, and When


CVE-2026-32201 is the oldest of the three. Microsoft patched it in the April 8 Patch Tuesday. On May 6 — while more than 1,300 internet-exposed SharePoint servers were still unpatched on the box — we published a hunt for it, with the KQL a defender could run that night to find exploitation on their own estate. We named the two specific layout paths a public proof-of-concept had identified as the attack vectors. We came back to it on June 2 when Microsoft escalated its own warning.


That was six to ten weeks before July 14, when CISA folded that same CVE into a three-flaw "patch now and hunt for breaches" advisory. The bug did not change in those weeks. The exploit did not change. The only thing that changed was how many people were treating it as urgent.


We will be honest about the other two. We did not have CVE-2026-45659 or CVE-2026-56164 pre-staged. Those are Microsoft's July disclosures, and on those we are exactly as current as everyone else reading the advisory this week — no earlier. A ledger that only ever shows the win is a marketing document. The win here is CVE-2026-32201, and it is a real one. The other two we caught on the same wall as the field.



What [CVE-2026-56164](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-56164) Actually Does


The new one is a missing-authentication-for-critical-function flaw. In plain terms: a function that should have required you to prove who you are does not. CISA's description is that it lets an unauthenticated attacker elevate privileges over the network. No credentials, no phishing, no foothold required to start — the check that was supposed to be there is simply absent.


That is a different and nastier class than the deserialization RCE most SharePoint headlines have trained you to expect. Deserialization bugs are powerful but fiddly. A missing auth check is a door that was never locked. When CISA says these three are being chained, this is the kind of primitive that opens the sequence — get in with the missing-auth flaw, then reach for the RCE and the post-exploitation.


And the post-exploitation is the part that should keep a SharePoint admin up tonight. CISA's advisory describes attackers stealing IIS machine keys and using deserialization to gain persistence and deploy malware. Stealing the machine keys is the move that matters, because those keys let an attacker forge authentication tokens that survive a patch. You can close the hole they came in through and they are still inside, holding a key you handed them. Patching is necessary and it is not sufficient. If you were exposed, you hunt.



Why the Staggered Timeline Is the Real Story


Three flaws, three KEV dates, one product, one campaign. Read that as an attacker's roadmap, not a coincidence. Someone has decided on-premises SharePoint is worth sustained investment, and they are refreshing their toolkit as each vulnerability gets patched out from under them. That is what a durable operation looks like — not a smash-and-grab on a single CVE, but a standing capability against a platform.


The defensive lesson is the one we keep coming back to. CVSS score is the wrong sort order. CISA said it plainly this week: prioritize your internet-facing SharePoint and your AD FS infrastructure over working down a list by severity number. A CVSS 6.1 missing-auth flaw on a server the whole internet can reach beats a CVSS 9.8 on a box behind three firewalls. Exposure and reachability decide urgency. The number in the bulletin does not.



What To Do Tonight


Patch all three CVEs on every on-premises SharePoint Server you run — Subscription Edition, 2019, and 2016 are all in scope. Then, because patching does not evict an attacker who already lifted your machine keys, rotate those keys and hunt for the post-exploitation. Look for unexpected deserialization activity, new or modified IIS handlers, and outbound connections from the SharePoint host you cannot explain. The May 6 KQL we published for CVE-2026-32201 is a starting point for the hunt on that flaw specifically.


If you run our feed, the indicators tied to this campaign flow to your blocklist the same way everything else does. The feed is the fast half of the job. The hunt on your own estate is the half only you can do.


We caught one of these three in May. We are telling you about the other two on the same day the field learned them. That is the honest scorecard, and the honest scorecard is the one worth keeping.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page