The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert following the discovery of new exploitations involving vulnerabilities in SharePoint Server. These vulnerabilities, identified as CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, allow cybercriminals to gain unauthorized access to on-premises SharePoint Server instances. Affected versions include the Subscription Edition, 2019, and 2016. The exploits enable remote code execution and various post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and using deserialization techniques to maintain persistence and deploy malware. Organizations are advised to closely monitor their SharePoint Servers for signs of unusual activity or exploitation.

Microsoft has identified additional vulnerabilities that pose a risk if not patched, although they have not yet been exploited. CISA has added the aforementioned vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, with specific dates for each inclusion. Organizations are urged to follow CISA's recommendations to detect and remediate potential compromises. This includes implementing SharePoint Server hardening measures and applying updates as outlined in Microsoft's guidance on exploiting SharePoint vulnerabilities.

CISA emphasizes the importance of immediate action, recommending users and administrators review the relevant alert and apply necessary updates to protect their systems. Any incidents or unusual activities should be reported to CISA through their 24/7 Operations Center. This alert was developed with input from Microsoft and serves as an informational resource without endorsing any specific entities or products.