A critical vulnerability (CVE-2026-56164) has been discovered in Microsoft SharePoint Server, allowing remote privilege escalation without authentication. CISA (U.S. Cybersecurity and Infrastructure Security Agency) has added it to its Known Exploited Vulnerabilities (KEV) catalog and urged federal agencies to take immediate action. This vulnerability has already been confirmed to be actively exploited in attacks, making prompt application of the patched version essential.
Immediate Actions to Take
- ✓Immediately apply the monthly security update released by Microsoft on July 14, 2026, to all SharePoint Server instances.
- ✓Prioritize patching for SharePoint Servers exposed to the internet.
- ✓Regardless of patch application, enable AMSI (Antimalware Scan Interface) in 'Full Mode' on all SharePoint servers to enhance exploitation detection capabilities.
- ✓If Microsoft Active Directory Federation Services (AD FS) is used, also apply the patch corresponding to CVE-2026-56155.
Vulnerability Overview and Scope of Impact
CVE-2026-56164 is an authentication bypass vulnerability (CWE-306) affecting on-premises versions of Microsoft SharePoint Server (SharePoint Server 2016, 2019, and Subscription Edition). Attackers can remotely escalate privileges over the network without requiring authentication or user interaction.
This vulnerability has a maximum CVSS score of 9.8 (Critical) as assessed by NVD (National Vulnerability Database). CISA has confirmed that this vulnerability is already being actively exploited in attacks and has instructed federal agencies to apply the patches by July 19, 2026.
Furthermore, another remote code execution (RCE) vulnerability (CVE-2026-58644, CVSS 9.8) in SharePoint Server has been reported, which is also confirmed to be exploited. This vulnerability stems from deserialization of untrusted data, potentially allowing attackers with credentials higher than a site owner to execute arbitrary code on the SharePoint Server. CISA warns that these vulnerabilities are being used for IIS machine key theft and malware deployment.
Specific Impacts and Attack Scenarios
Attackers can exploit CVE-2026-56164 to gain unauthenticated remote access to SharePoint Server and escalate privileges. Furthermore, by combining this with previously reported older SharePoint vulnerabilities, they could steal IIS (Internet Information Services) machine keys, establish persistent access to compromised servers, and remotely deploy malware.
This could lead to the leakage of corporate confidential information, complete system control, and result in large-scale service outages or data destruction. Indeed, there are reports of multiple attack groups exploiting these vulnerabilities in the financial, healthcare, government, and energy sectors.
Response Procedures and Verification Methods
After applying Microsoft's security updates, verify that the system has been correctly updated. In addition to checking Windows Update history, list installed updates using PowerShell commands or similar methods to confirm that the patch with the corresponding KB number has been applied. For enabling AMSI Full Mode, refer to Microsoft's official documentation and ensure the settings have taken effect.
📦References and Official Patch Information
- Microsoft Security Update Guide - July 2026↗
- NVD - CVE-2026-56164 Detail↗
- NVD - CVE-2026-58644 Detail↗
- NVD - CVE-2026-56155 Detail↗
- CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV↗
- JPCERT/CC - Advisory on Microsoft Security Updates for July 2026↗
- Mado no Mori - Microsoft's July 2026 Monthly Update: 622 Vulnerabilities, Roughly 3 Times the Previous Record, with 62 Critical↗
