What is Microsoft SharePoint Server?
Microsoft SharePoint Server is an on-premises collaboration and document-management platform widely deployed by enterprises and government agencies for intranets, file sharing, and business process workflows. On-prem SharePoint farms have been a recurring high-value target in recent years — most notably the 2025 "ToolShell" exploitation wave — because a SharePoint server typically holds a large volume of internal documents and sits deeply integrated with an organization's Active Directory and IIS web infrastructure, making it a valuable pivot point once compromised.
Overview
Microsoft SharePoint Server contains a vulnerability where a critical function is missing an authentication check, allowing an unauthenticated attacker to elevate privileges over the network with no user interaction required. While the CVSS base score (5.3) reflects a relatively narrow standalone primitive, threat actors have been observed chaining it with post-exploitation techniques — including theft of IIS machine keys and .NET deserialization abuse — to achieve deeper persistence and deploy malware, a pattern reminiscent of the 2025 ToolShell SharePoint attack chain (though no source has confirmed this is a direct continuation of that campaign).
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| SharePoint Enterprise Server 2016 | Prior to July 2026 update | July 14, 2026 security update |
| SharePoint Server 2019 | Prior to July 2026 update | July 14, 2026 security update |
| SharePoint Server Subscription Edition | Prior to July 2026 update | July 14, 2026 security update |
Technical Details
- Root cause: A critical SharePoint function fails to enforce any authentication check before performing a privileged operation (CWE-306: Missing Authentication for Critical Function).
- Attack vector: Network, no privileges or user interaction required (
AV:N/AC:L/PR:N/UI:N). CVSS 3.1 base score: 5.3 (Medium) — reflecting limited standalone impact (integrity-only, low), though real-world attacks combine it with additional post-exploitation steps for greater effect. - Attack characteristics: The initial access step requires only a single unauthenticated network request; observed follow-on activity includes stealing IIS machine keys (which can be used to forge
__VIEWSTATEpayloads) and leveraging .NET deserialization techniques to establish persistence and deploy further tooling. - Impact: Unauthorized privilege elevation as an initial-access primitive, escalating to broader server compromise, persistence, and malware deployment when chained with post-exploitation techniques observed in the wild.
Discovery
Credited by Microsoft to Jayson Frost (Mandiant Incident Response), Genwei Jiang (Google Cloud/FLARE Open Threat Intelligence), and an additional anonymous researcher. As with the companion AD FS CVE-2026-56155 disclosed the same day, credit to incident-response practitioners suggests this vulnerability was surfaced while investigating live compromises rather than through proactive research.
Exploitation Context
Confirmed exploited in the wild; CISA both added this CVE to the KEV catalog and issued a dedicated alert, "CISA Urges SharePoint Hardening After New Exploitations," on July 14, 2026 — an unusual step reflecting the severity of observed post-exploitation activity. Microsoft's recommended interim mitigation is to enable AMSI (Antimalware Scan Interface) integration for SharePoint and set the Request Body Scan mode to "Full" to help detect malicious payloads before they reach vulnerable code paths. This CVE was one of three zero-days patched in Microsoft's record-setting July 2026 Patch Tuesday.
Remediation
- Apply Microsoft's July 14, 2026 security update immediately to all affected on-premises SharePoint farms.
- Enable AMSI integration and set Request Body Scan mode to "Full" as an interim mitigation and defense-in-depth measure, per Microsoft's guidance.
- Rotate IIS machine keys on affected SharePoint servers, given confirmed post-exploitation activity targeting this material for
__VIEWSTATEforgery and deserialization attacks. - Review IIS and SharePoint logs for signs of deserialization exploitation or unexpected
__VIEWSTATE-related activity. - Consult CISA's dedicated SharePoint hardening alert for the most current detection guidance and indicators of compromise.
- Follow CISA BOD 26-04 guidance and the July 17, 2026 remediation deadline.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-56164 |
| Vendor / Product | Microsoft — SharePoint Server |
| NVD Published | 2026-07-14 |
| NVD Last Modified | 2026-07-14 |
| CVSS 3.1 Score | 5.3 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| Severity | MEDIUM |
| CWE | CWE-306 find similar ↗ |
| CISA KEV Added | 2026-07-14 |
| CISA KEV Deadline | 2026-07-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-07-14 | Patched as part of Microsoft's July 2026 Patch Tuesday; CISA issues SharePoint hardening alert and adds CVE to KEV same day |
| 2026-07-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-56164 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft MSRC — CVE-2026-56164 | Vendor Advisory |
| CISA Alert — CISA Urges SharePoint Hardening After New Exploitations | US Government |
| Help Net Security — Microsoft Patch Tuesday: SharePoint CVE-2026-56164 | News |
| Zero Day Initiative — The July 2026 Security Update Review | Security Research |