CISA Urges SharePoint Hardening to Prevent Exploits
Active Exploitation of Critical SharePoint Vulnerabilities
The United States Cybersecurity and Infrastructure Security Agency issued an urgent warning. Indeed, this warning concerns active exploits targeting on-premises Microsoft SharePoint servers. Currently, malicious actors leverage three distinct security vulnerabilities. Specifically, these critical flaws allow attackers to completely bypass authentication checks. Furthermore, they can infiltrate corporate networks and deploy malicious payloads.
Consequently, all supported on-premises versions of SharePoint Server remain highly vulnerable. Indeed, this threat impacts the modern Subscription Edition alongside legacy 2019 and 2016 servers. Specifically, the ongoing cyberattacks exploit CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. Ultimately, upon gaining access, intruders can remotely execute arbitrary code. Moreover, they can harvest protected Internet Information Services keys. Therefore, this enables them to deploy malware on compromised hosts.
Global Exposure Metrics
According to the latest telemetry from the Shadowserver Foundation, nearly 10,000 SharePoint servers are exposed online. In fact, over 800 of these instances lack essential patches. However, the number of systems vulnerable to the critical CVE-2026-56164 exploit remains unconfirmed. Furthermore, these statistics may include decoy honeypots designed to monitor threat actors.
Crucial Remediation and Hardening Guidelines
Hardening Web Applications and IIS Keys
Consequently, system administrators must immediately enable the Antimalware Scan Interface. Specifically, where feasible, they should configure request body analysis to Full mode. Fortunately, AMSI and Windows Defender successfully block these cyberattacks. However, defenders must purge all traces of intrusion before rotating cryptographic keys. Otherwise, active harvesting tools can easily capture the new secrets.
Best Practices for Network Separation
Additionally, Microsoft advises separating SharePoint servers based on infrastructure roles. Specifically, administrators should expose only essential services and ports. Moreover, they must completely restrict external access to Central Administration. For comprehensive security architecture, Microsoft details these steps in their official SharePoint security hardening guidelines.
Ideally, organizations should never expose these database servers directly to the internet. Instead, placing them behind a reverse proxy is essential if external access is mandatory. Specifically, within the Web.config file, administrators should disable verbose technical details. Furthermore, they should restrict authorized components and enforce strict upload limits. Finally, technicians must never disable SharePoint system services without verifying their purpose. Organizations must immediately review the alert as CISA urges SharePoint hardening to mitigate incoming attacks.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.