CISA adds SharePoint CVE-2026-56164 to KEV, chained with two prior bugs
CISA added SharePoint auth-bypass CVE-2026-56164 to KEV on July 14 and re-issued a hardening alert citing three chained on-prem SharePoint CVEs under active exploitation. FCEB deadline July 17.
CISA added CVE-2026-56164 to the Known Exploited Vulnerabilities catalog on July 14, 2026, the same day Microsoft shipped the patch as part of the largest Patch Tuesday on record. In parallel, CISA published a hardening alert for on-premises SharePoint that names three actively-exploited SharePoint CVEs now being chained by attackers: CVE-2026-56164 (added to KEV that day), CVE-2026-45659 (added July 1), and CVE-2026-32201 (added April 14). BOD 26-04 puts the federal-civilian remediation deadline for CVE-2026-56164 at July 17, 2026.
What CVE-2026-56164 is
Microsoft's advisory rates the bug CVSS 5.3, Moderate. The classification is CWE-306 — missing authentication for a critical function. An unauthenticated, remote attacker can send a crafted network request that reaches a SharePoint endpoint which should require authentication but does not, and elevate privileges. There is no user interaction, no credential requirement, and the attack complexity is low. The CVSS 5.3 sits low because the direct primitive is a spoofing / privilege-elevation step, not RCE — but per CISA's alert, that step is the front end of a chain that ends in remote code execution and persistence.
Affected products
- SharePoint Server Subscription Edition
- SharePoint Server 2019
- SharePoint Enterprise Server 2016
SharePoint Online (Microsoft 365) is not in scope. Confirm build numbers against the MSRC advisory for CVE-2026-56164, which is the authoritative reference for the July 14 fix packages.
The chain CISA describes
The CISA hardening alert is more specific than a routine KEV entry. It describes an intrusion set that pairs the three CVEs to:
- Land unauthenticated access to on-premises SharePoint via the CVE-2026-56164 auth-bypass primitive.
- Reach remote code execution via one of the two prior CVEs (CVE-2026-45659, a deserialization RCE; CVE-2026-32201, a separate RCE also in KEV).
- Steal IIS machine keys from the SharePoint host, then use them to sign forged
__VIEWSTATEpayloads for post-exploitation deserialization at will. - Deploy persistence and staged malware from that foothold.
The IIS-machine-key theft is the load-bearing detail: once the keys leak, patching CVE-2026-56164 does not evict the attacker. Rotation of the machine keys — not just the SharePoint patch — is required.
Exploitation status
Confirmed by Microsoft's own detection (per MSRC) and by CISA (per the KEV addition and hardening alert). Neither authority has named a threat cluster. Neither has published IOCs, YARA, or Sigma rules as of writing. Reporting from BleepingComputer and SecurityWeek mirrors the CISA framing without adding an independently-observed detection artefact.
Action checklist
- Apply the July 14 SharePoint updates on every on-premises farm. Verify against the MSRC entry for CVE-2026-56164. Federal-civilian agencies must meet the July 17, 2026 BOD 26-04 deadline or discontinue the product.
- Rotate SharePoint IIS machine keys on every previously-exposed farm. Per the CISA alert, the observed chain includes machine-key theft; patching alone does not invalidate keys already exfiltrated. Regenerate
<machineKey>values inweb.configand propagate across the farm. - Enable AMSI integration and set the SharePoint Request Body Scan mode to "Full." Microsoft's advisory documents these as the primary mitigations to reduce the exploitation surface for CVE-2026-56164 alongside the patch — not as a substitute for it.
- Hunt for prior compromise on any on-premises farm that has been internet-reachable since April 14, 2026 (the KEV date for the oldest CVE in the chain). Review IIS logs for anomalous
__VIEWSTATEpayloads, unexpectedPOSTs to/_layouts/,/_vti_bin/, and any process spawned byw3wp.exeother than the expected SharePoint children. Absent published IOCs, deserialization sinks and machine-key-signed payload anomalies are the highest-value telemetry. - Isolate on-premises SharePoint from direct internet exposure wherever the workload allows. On-premises SharePoint has been the target of five KEV additions in eighteen months; reverse-proxy termination with request-body inspection is a defensible interim control on the residual attack surface.
Context
This is the fifth on-premises SharePoint CVE to be added to KEV in eighteen months, and the third this quarter. The recurring shape — an authentication or deserialization primitive in a SharePoint entry point that many enterprises have left directly internet-facing — is now well documented. Every quarter that on-prem SharePoint sits on the public internet is another quarter waiting for the next chain.
What other outlets missed
Coverage across BleepingComputer, SecurityWeek, and The Hacker News leads on the KEV addition and the record Patch Tuesday CVE count. What the CISA alert says — and most of the round-up coverage does not surface — is that patching CVE-2026-56164 alone is insufficient on any farm that was previously exposed: the observed chain includes theft of IIS machine keys, which survive the patch. If you patch and skip the key rotation, the attacker retains the ability to forge signed __VIEWSTATE and re-enter through the deserialization sink at leisure. That is the operationally-relevant detail buried in the CISA text.