FORSMILE
JA
セキュリティ2026/07/17

[URGENT] Microsoft SharePoint Server CVE-2026-56164: Apply Security Patches — Risk of Unauthenticated Privilege Escalation, Exploitation Confirmed

SharePoint Server vulnerable to authentication bypass via CVE-2026-56164. The immediate solution for this high-severity vulnerability, warned by CISA, is to update to the patched version.

Back to Blog

A critical vulnerability (CVE-2026-56164) has been discovered in Microsoft SharePoint Server, allowing remote privilege escalation without authentication. CISA (U.S. Cybersecurity and Infrastructure Security Agency) has added it to its Known Exploited Vulnerabilities (KEV) catalog and urged federal agencies to take immediate action. This vulnerability has already been confirmed to be actively exploited in attacks, making prompt application of the patched version essential.

Immediate Actions to Take

  • Immediately apply the monthly security update released by Microsoft on July 14, 2026, to all SharePoint Server instances.
  • Prioritize patching for SharePoint Servers exposed to the internet.
  • Regardless of patch application, enable AMSI (Antimalware Scan Interface) in 'Full Mode' on all SharePoint servers to enhance exploitation detection capabilities.
  • If Microsoft Active Directory Federation Services (AD FS) is used, also apply the patch corresponding to CVE-2026-56155.

Vulnerability Overview and Scope of Impact

CVE-2026-56164 is an authentication bypass vulnerability (CWE-306) affecting on-premises versions of Microsoft SharePoint Server (SharePoint Server 2016, 2019, and Subscription Edition). Attackers can remotely escalate privileges over the network without requiring authentication or user interaction.

This vulnerability has a maximum CVSS score of 9.8 (Critical) as assessed by NVD (National Vulnerability Database). CISA has confirmed that this vulnerability is already being actively exploited in attacks and has instructed federal agencies to apply the patches by July 19, 2026.

Furthermore, another remote code execution (RCE) vulnerability (CVE-2026-58644, CVSS 9.8) in SharePoint Server has been reported, which is also confirmed to be exploited. This vulnerability stems from deserialization of untrusted data, potentially allowing attackers with credentials higher than a site owner to execute arbitrary code on the SharePoint Server. CISA warns that these vulnerabilities are being used for IIS machine key theft and malware deployment.

⚠ CVE Score — 最高危険度 / CRITICAL
9.8CRITICALCVE-2026-56164

Specific Impacts and Attack Scenarios

Attackers can exploit CVE-2026-56164 to gain unauthenticated remote access to SharePoint Server and escalate privileges. Furthermore, by combining this with previously reported older SharePoint vulnerabilities, they could steal IIS (Internet Information Services) machine keys, establish persistent access to compromised servers, and remotely deploy malware.

This could lead to the leakage of corporate confidential information, complete system control, and result in large-scale service outages or data destruction. Indeed, there are reports of multiple attack groups exploiting these vulnerabilities in the financial, healthcare, government, and energy sectors.

Response Procedures and Verification Methods

After applying Microsoft's security updates, verify that the system has been correctly updated. In addition to checking Windows Update history, list installed updates using PowerShell commands or similar methods to confirm that the patch with the corresponding KB number has been applied. For enabling AMSI Full Mode, refer to Microsoft's official documentation and ensure the settings have taken effect.

📦
Amazon で関連書籍・ツールを検索
cybersecurity server security tools
Amazonで探す →(アソシエイトリンク)

References and Official Patch Information

Related articles