Vulnerability Notification – Microsoft SharePoint Server Actively Exploited
Created: Tuesday, July 14, 2026 - 17:45
Categories: Cybersecurity, Security Preparedness
ACTION MAY BE REQUIRED for utilities using on-premises Microsoft SharePoint Server (Subscription Edition, 2019, or 2016). Utilities that outsource technology support may need to consult their service providers for assistance with remediation actions.
Summary: CISA has issued an alert warning of active exploitation of three vulnerabilities affecting on-premises Microsoft SharePoint Server. Tracked as CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, the vulnerabilities enable cyber threat actors to gain unauthorized access to on-premises SharePoint Server instances. The vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve remote code execution (RCE) and post-exploitation activities (stealing Internet Information Services (IIS) machine keys and performing deserialization techniques) to gain persistence and deploy malware.
Additionally, CISA notes two newly disclosed vulnerabilities, CVE-2026-55040 and CVE-2026-58644, that are not yet known to have been exploited but that Microsoft has identified as posing a potential risk if left unpatched.
Analyst Note: This activity is particularly concerning for utilities because SharePoint servers frequently store internal documentation and business records and are integrated with enterprise identity and authentication infrastructure. The theft of IIS machine keys could allow attackers to maintain persistent access to compromised environments even after initial remediation, potentially enabling malware deployment and further movement within trusted networks.
WaterISAC strongly encourages members to review CISA’s alert, monitor affected SharePoint Servers closely for any signs of exploitation or unusual activity, and implement CISA’s recommended actions. Additionally, CISA’s earlier alert, UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities, contains applicable recommendations and mitigation guidance pertaining to SharePoint vulnerabilities.
Additional Reading
Important Note: WaterISAC shares important vulnerabilities in its Weekly Vulnerabilities to Prioritize piece in each issue of its weekly SRU newsletter. Two of the three actively exploited vulnerabilities mentioned in this advisory have been previously disclosed to members in these updates. WaterISAC encourages members to regularly review the Weekly Vulnerabilities to Prioritize updates and take special note of the vulnerabilities mentioned.
