SharePoint Vulnerabilities Under Active Exploitation, CISA Urges SharePoint Hardening

Executive Summary

On July 14, 2026, Microsoft disclosed multiple vulnerabilities affecting on-premises SharePoint Server instances as part of their Patch Tuesday security rollup. Among the most critical are CVE-2026-55040, an authentication flaw in SharePoint token validation that allows an unauthenticated remote attacker to forge a valid session and act as any SharePoint user, including administrators, and CVE-2026-58644, a deserialization vulnerability that allows an unauthenticated remote attacker to execute arbitrary code on a vulnerable server.

Although both vulnerabilities were published in the same update cycle, they are independent issues and should not be interpreted as a single exploit chain. Enhancing risk to on-premises SharePoint environments, security researchers at Rapid7 reported a separate remote code execution exploit chain they disclosed to Microsoft remains unpatched with the recent fixes. According to Rapid7, that chain is distinct from CVE-2026-55040's exploitation path and is not expected to be remediated until Microsoft's August 2026 release. As a result, applying July updates may not eliminate all known attack paths affecting on-premises SharePoint Servers.

The disclosure was followed by a warning from CISA regarding ongoing exploitation of vulnerabilities affecting on-premises SharePoint Server. On July 14th, CISA added CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. CISA reported that exploitation of these vulnerabilities can enable unauthorized access, remote code execution, theft of IIS machine keys, persistence, and malware deployment. CISA has not identified CVE-2026-55040 and CVE-2026-58644 as actively exploited at the time of writing, but the precedent of ongoing attacks creates heightened risk for on-premises SharePoint environments.

Beazley Security recommends affected organizations apply the July 2026 SharePoint security updates as soon as possible, verify completion across server farms, enable Microsoft’s Antimalware Scan Interface (AMSI) integration where feasible, and hunt for activity aligned with CISA's published Microsoft detections.

Affected Systems and Products

 Product  Affected Versions  Resolved Versions

 SharePoint Server

 Subscription Edition

 <= 16.0.19725.20384

 16.0.19725.20434

 SharePoint Server 2019

 <= 16.0.10417.20153  16.0.10417.20175
 

 SharePoint Server 2016

 <= 16.0.5556.1005  16.0.5561.1001

Mitigations and Workarounds

Microsoft’s July 2026 updates address CVE-2026-55040 and CVE-2026-58644 across supported on-premises SharePoint Server versions. Organizations should apply the latest SharePoint security updates immediately and verify successful installation. If immediate patching is not possible, risk may be temporarily reduced by implementing the following mitigations for SharePoint servers:

  • Avoid exposing on-premises SharePoint Server directly to the internet. Where internet access is required, place it behind a Layer 7 reverse proxy or equivalent control that requires authentication and can inspect and filter requests.
  • Enable AMSI integration for each SharePoint web application. Use Full Mode for Request Body Scan Mode where feasible. This enables Microsoft Defender to inspect request bodies associated with exploitation attempts.
  • Restrict network access to SharePoint administration planes, and limit activity to systems that require access.
  • Monitor affected SharePoint Servers for signs of exploitation or unusual activity, especially systems that were internet reachable before patching.

Patches

Microsoft released fixes for CVE-2026-55040 and CVE-2026-58644 as part of the July 2026 Patch Tuesday cycle. The fixes cover SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. The specific SharePoint Updates can be accessed on Microsoft’s Learn Portal, or directly from the links below:

 Product  Patch Link

 SharePoint Server

 Subscription Edition

 https://www.microsoft.com/en-us/download/details.aspx?id=108730

 SharePoint Server 2019

 https://www.microsoft.com/en-us/download/details.aspx?id=108726

 SharePoint Server 2016

 https://www.microsoft.com/en-us/download/details.aspx?id=108723

Administrators should apply updates through the official Microsoft Security Response Center advisories and confirm successful installation on each server in the farm. Validation matters as incomplete servicing can leave a multi-server SharePoint farm exposed even while updates are being applied.

Indicators of Compromise (IOCs)

At the time of CISA’s July 14 alert, neither CVE-2026-55040 nor CVE-2026-58644 had been reported as actively exploited by CISA or Microsoft. However, CISA provided the following Microsoft detection signatures associated with related SharePoint exploitation activity that organizations can use to identify indicators of attack:

  • AMSI: Exploit:Script/SuspSignoutReqBody.A - request body scanning; SharePoint Server Subscription only; Microsoft has blocked observed attempts.
  • AMSI: Exploit:Script/ToolPaneAuthBypass.A - request header scanning; SharePoint Server 2016, 2019, and Subscription Edition.
  • AMSI: Exploit:Script/ToolPaneAuthBypass.C - RCE coverage; SharePoint Server 2016, 2019, and Subscription Edition.
  • MDAV: Backdoor:MSIL/LeakFang.A!dha - post-exploitation activity alert involving IIS-protected secrets.

Technical Details

On July 14th, Microsoft disclosed CVE-2026-55040 and CVE-2026-58644, two critical vulnerabilities affecting on-premises SharePoint Server versions 2016, 2019, and Subscription Edition:

  • CVE-2026-55040 is an authentication bypass vulnerability affecting Microsoft SharePoint Server. The flaw stems from issues in SharePoint's JWT token validation pipeline allowing a remote, unauthenticated attacker to bypass the SharePoint authentication process. An attacker who knows a target's Active Directory Security ID or User Principal Name can use the flaw to forge a JWT token for existing users on a SharePoint installation, including a site administrator. According to researchers at Rapid7, the disclosed flaw is the first stage of a two-step chain that can lead to unauthenticated remote code execution. The second vulnerability remains undisclosed and unpatched at the time of writing, with a Microsoft fix expected in August.
  • CVE-2026-58644 is a deserialization-of-untrusted-data vulnerability in SharePoint. Deserialization flaws occur when an application reconstructs objects from attacker-supplied serialized data without properly validating type or origin. If an attacker can direct the deserializer to a class already available to the application, the attacker can trigger unintended code execution and run code in the context of the SharePoint service account.

The same day these vulnerabilities were disclosed, CISA issued an official alert regarding ongoing attacks against internet-exposed SharePoint servers involving active exploitation of three separate vulnerabilities: CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. In these cases, CISA reported remote code execution, IIS machine key theft, deserialization techniques, persistence, and malware deployment.

At the time of writing, the newly disclosed critical CVEs above have not been reported as exploited in the wild. However, given the sustained targeting of SharePoint servers and active campaigns reported by CISA, Beazley Security assesses that threat actors are likely to weaponize these flaws in the near future. CISA has also provided SharePoint hardening guidance within their official alert. Organizations should follow hardening guidance, apply Microsoft’s July 2026 SharePoint updates immediately, and prioritize the additional SharePoint update expected in August as soon as it becomes available.

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

Aware of an incident impacting your industry? Let us know:

Report an incident