CVE-2026-56164 — Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability

CVE-2026-56164

Microsoft SharePoint — Unauthenticated Access Primitive Chained Into IIS Machine Key Theft and Deserialization Attacks

What is Microsoft SharePoint Server?

Microsoft SharePoint Server is an on-premises collaboration and document-management platform widely deployed by enterprises and government agencies for intranets, file sharing, and business process workflows. On-prem SharePoint farms have been a recurring high-value target in recent years — most notably the 2025 "ToolShell" exploitation wave — because a SharePoint server typically holds a large volume of internal documents and sits deeply integrated with an organization's Active Directory and IIS web infrastructure, making it a valuable pivot point once compromised.

Overview

Microsoft SharePoint Server contains a vulnerability where a critical function is missing an authentication check, allowing an unauthenticated attacker to elevate privileges over the network with no user interaction required. While the CVSS base score (5.3) reflects a relatively narrow standalone primitive, threat actors have been observed chaining it with post-exploitation techniques — including theft of IIS machine keys and .NET deserialization abuse — to achieve deeper persistence and deploy malware, a pattern reminiscent of the 2025 ToolShell SharePoint attack chain (though no source has confirmed this is a direct continuation of that campaign).

Affected Versions

Product Vulnerable Fixed
SharePoint Enterprise Server 2016 Prior to July 2026 update July 14, 2026 security update
SharePoint Server 2019 Prior to July 2026 update July 14, 2026 security update
SharePoint Server Subscription Edition Prior to July 2026 update July 14, 2026 security update

Technical Details

  • Root cause: A critical SharePoint function fails to enforce any authentication check before performing a privileged operation (CWE-306: Missing Authentication for Critical Function).
  • Attack vector: Network, no privileges or user interaction required (AV:N/AC:L/PR:N/UI:N). CVSS 3.1 base score: 5.3 (Medium) — reflecting limited standalone impact (integrity-only, low), though real-world attacks combine it with additional post-exploitation steps for greater effect.
  • Attack characteristics: The initial access step requires only a single unauthenticated network request; observed follow-on activity includes stealing IIS machine keys (which can be used to forge __VIEWSTATE payloads) and leveraging .NET deserialization techniques to establish persistence and deploy further tooling.
  • Impact: Unauthorized privilege elevation as an initial-access primitive, escalating to broader server compromise, persistence, and malware deployment when chained with post-exploitation techniques observed in the wild.

Discovery

Credited by Microsoft to Jayson Frost (Mandiant Incident Response), Genwei Jiang (Google Cloud/FLARE Open Threat Intelligence), and an additional anonymous researcher. As with the companion AD FS CVE-2026-56155 disclosed the same day, credit to incident-response practitioners suggests this vulnerability was surfaced while investigating live compromises rather than through proactive research.

Exploitation Context

Confirmed exploited in the wild; CISA both added this CVE to the KEV catalog and issued a dedicated alert, "CISA Urges SharePoint Hardening After New Exploitations," on July 14, 2026 — an unusual step reflecting the severity of observed post-exploitation activity. Microsoft's recommended interim mitigation is to enable AMSI (Antimalware Scan Interface) integration for SharePoint and set the Request Body Scan mode to "Full" to help detect malicious payloads before they reach vulnerable code paths. This CVE was one of three zero-days patched in Microsoft's record-setting July 2026 Patch Tuesday.

Remediation

  1. Apply Microsoft's July 14, 2026 security update immediately to all affected on-premises SharePoint farms.
  2. Enable AMSI integration and set Request Body Scan mode to "Full" as an interim mitigation and defense-in-depth measure, per Microsoft's guidance.
  3. Rotate IIS machine keys on affected SharePoint servers, given confirmed post-exploitation activity targeting this material for __VIEWSTATE forgery and deserialization attacks.
  4. Review IIS and SharePoint logs for signs of deserialization exploitation or unexpected __VIEWSTATE-related activity.
  5. Consult CISA's dedicated SharePoint hardening alert for the most current detection guidance and indicators of compromise.
  6. Follow CISA BOD 26-04 guidance and the July 17, 2026 remediation deadline.

Key Details

PropertyValue
CVE ID CVE-2026-56164
Vendor / Product Microsoft — SharePoint Server
NVD Published2026-07-14
NVD Last Modified2026-07-14
CVSS 3.1 Score5.3
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
SeverityMEDIUM
CWE CWE-306 find similar ↗
CISA KEV Added2026-07-14
CISA KEV Deadline2026-07-17
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2026-07-17. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-07-14Patched as part of Microsoft's July 2026 Patch Tuesday; CISA issues SharePoint hardening alert and adds CVE to KEV same day
2026-07-17CISA BOD 22-01 remediation deadline