CISA added three Microsoft SharePoint Server vulnerabilities to its Known Exploited Vulnerabilities catalog after confirming that attackers are chaining them to bypass authentication, run arbitrary code, and steal IIS machine keys for persistent access. A 48-hour federal remediation deadline applies to CVE-2026-56164, a new flaw disclosed in the July Patch Tuesday release just one day before CISA’s announcement.
Three-CVE Chain Targeting SharePoint Authentication and Code Execution
Three distinct SharePoint Server vulnerabilities — CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 — are being combined in active attacks against enterprise and government environments. CISA added all three to its KEV catalog on July 15, confirming that each plays a role in exploitation that is occurring in the wild rather than remaining theoretical. The attack proceeds in three stages: authentication bypass, remote code execution, and post-exploitation theft of cryptographic material designed to maintain access even after the initial incident is remediated.
Federal civilian executive branch agencies face a July 17 deadline to patch CVE-2026-56164 under Binding Operational Directive 26-04. That CVE arrived as a new Patch Tuesday disclosure and was placed on the KEV catalog within 24 hours — an indicator of how quickly confirmed exploitation followed its public disclosure.
CVE-2026-32201 Authentication Bypass Opens the Initial Foothold
CVE-2026-32201 is an authentication bypass flaw in SharePoint Server that allows an attacker with network access to connect to SharePoint without presenting valid credentials. It is the entry point for the three-CVE chain: an attacker with no prior account on the target environment can use CVE-2026-32201 to gain an authenticated session and then proceed to the code execution stage.
From that initial authenticated position, attackers have two independent paths to remote code execution. CVE-2026-45659, which CISA had added to the KEV catalog earlier in July, enables code execution from an authenticated session. CVE-2026-56164, disclosed in the July Patch Tuesday release, provides a second independent RCE path. The presence of two functional RCE options after the authentication bypass stage means defenders cannot neutralize the code execution risk by patching only one of the two CVEs — both must be addressed.
IIS Machine Key Theft After the RCE Stage Produces Durable Persistence
Post-exploitation activity documented in CISA’s advisory includes theft of Internet Information Services machine keys from compromised SharePoint servers. IIS machine keys are the cryptographic material that ASP.NET uses to sign and protect authentication cookies and other server-side operations. An attacker who obtains the machine key for a SharePoint server does not need continued access to the server itself: forged authentication tokens constructed with the stolen key can produce valid sessions for any user on the platform indefinitely.
This persistence mechanism is particularly difficult to remediate. Resetting user passwords, revoking active sessions, and rotating service account credentials do not eliminate machine key theft as an access vector. Replacing machine keys requires taking the web server offline and regenerating them — a process that must be coordinated across all servers in a SharePoint farm that share the same key material. Organizations that have been compromised through this chain must treat machine key replacement as a mandatory remediation step, not an optional hardening measure.
Exposure Scale and Federal Agencies’ July 17 Deadline
Shadowserver tracks nearly 10,000 internet-exposed Microsoft SharePoint servers globally. More than 800 of those remained unpatched against CVE-2026-32201 and CVE-2026-45659 at the time of CISA’s announcement — devices exposed to the authentication bypass that initiates the full attack chain without any credential barrier from the attacker’s side. The unpatched population for CVE-2026-56164 is likely significantly larger given that the advisory followed the Patch Tuesday disclosure by a single day, leaving minimal time for organizations to apply the patch before CISA confirmed active exploitation.
Federal civilian agencies face a July 17 remediation deadline for CVE-2026-56164 under BOD 26-04. For CVE-2026-32201 and CVE-2026-45659, where the exploitation deadline predates this advisory cycle, agencies should treat the confirmed three-CVE chain as grounds for immediate patching regardless of prior compliance timelines for those older CVEs.
SharePoint is deployed as the primary document management and collaboration platform across the majority of large enterprise and government environments, giving successful exploitation broad access to sensitive organizational content. Two additional SharePoint vulnerabilities — CVE-2026-55040 and CVE-2026-58644 — were also patched in the July Patch Tuesday release, though CISA had not confirmed active exploitation of either at time of publication. Security teams should include both in the same patching cycle to reduce overall SharePoint attack surface.
