Microsoft SharePoint Zero-Day CVE-2026-56164 Under Active Attack: On-Prem Farms Face Unauthenticated Privilege Escalation
AK
Alex Kim Threat intelligence editor · Updated Jul 15, 2026, 5:04 PM EDT
Microsoft SharePoint Zero-Day CVE-2026-56164 Under Active Attack: On-Prem Farms Face Unauthenticated Privilege Escalation
Microsoft and CISA confirmed active exploitation of CVE-2026-56164 on July 14, 2026, as attackers chain a missing-authentication flaw in on-premises SharePoint Server into remote code execution, IIS machine-key theft, and malware deployment. Patches shipped the same day; SharePoint Online is not affected.
Enterprise defenders running self-hosted SharePoint Server must treat CVE-2026-56164 as an immediate incident-response and patching priority. The vulnerability is a missing authentication for a critical function (CWE-306) that lets an unauthorized network attacker elevate privileges with no credentials and no user interaction. Microsoft rates it Moderate with a CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N); the National Vulnerability Database scores the same issue 9.8 Critical. In the wild, operators close that gap by chaining the elevation-of-privilege step with other SharePoint flaws to achieve remote code execution, steal Internet Information Services machine keys, establish persistence through deserialization, and deploy backdoors detected as LeakFang.
The flaw was unknown to most defenders until exploitation was already under way. Core collaboration infrastructure, zero-day status, and internet-reachable farms make delayed response unusually costly.
Technical breakdown: missing authentication, chained to RCE
CVE-2026-56164 is an elevation-of-privilege bug, not a pure remote-code-execution CVE on its own. Official descriptions state that missing authentication for a critical function in Microsoft Office SharePoint allows an unauthorized attacker to elevate privileges over a network.
Defenders should not treat the “Moderate” label as a deprioritization signal. Observed campaigns use the privilege foothold as a link in a longer chain with CVE-2026-32201 (improper input validation / spoofing, CISA KEV April 14, 2026) and CVE-2026-45659 (deserialization leading to authorized code execution, KEV July 1, 2026). Together they enable unauthorized access, machine-key harvesting, persistence, and malware staging on servers that often hold contracts, credentials, and sensitive documents.
Detection names published by CISA strongly point at ToolPane-oriented request handling—Exploit:Script/ToolPaneAuthBypass.A, ToolPaneAuthBypass.C, and SuspSignoutReqBody.A—with post-exploitation tied to Backdoor:MSIL/LeakFang.A!dha. Exact public exploit write-ups of the precise endpoint remain limited; operational response should follow the CWE, the AMSI names, and the post-exploitation pattern rather than waiting for full reverse-engineering blogs.
B
Chain: spoofing / deserialization CVEs
RCE on SharePoint host
Steal IIS machine keys
Persistence + LeakFang-class malware
Unauth network access] --> B[CVE-2026-56164 EoP
Exploitation timeline and attribution signals
Public anchors cluster on July 14, 2026: Microsoft Patch Tuesday disclosure and fixes, NVD publication, and CISA’s addition of CVE-2026-56164 to the Known Exploited Vulnerabilities catalog with a July 17, 2026 remediation due date for federal compliance contexts. Microsoft confirmed exploitation in the wild concurrent with the release, establishing zero-day status.
Discovery credit went to Mandiant incident responders and Google’s FLARE team—patterns consistent with discovery inside live attacks rather than pure white-box research. No widely published named advanced persistent threat or ransomware brand has been firmly tied to this specific CVE in official alerts; government and vendor language refers to cyber threat actors chaining flaws, stealing IIS machine keys, and deploying malware.
The KEV sequence itself is operationally important. CVE-2026-32201 in April, CVE-2026-45659 in early July, and CVE-2026-56164 on July 14 frame on-premises SharePoint as a sustained target set through the first half of 2026. Farms that only patch without historical hunting risk leaving rotated keys and cleaned hosts still under attacker control if harvesters remain.
SharePoint Online / Microsoft 365 hosted SharePoint is not in scope.
Risk concentrates on internet-facing farms—partner portals, extranets, and long-lived project collaboration sites. A second clock landed on the same day as the patch: SharePoint Server 2016 and 2019 reached end of extended support on July 14, 2026. Residual estates lack a highlighted paid extended security update path in current public guidance. Subscription Edition remains the supported on-premises track.
Servicing is a common failure mode. SharePoint security updates follow SharePoint’s own process. Installing the Windows cumulative update alone does not remediate the farm. Administrators must confirm SharePoint-specific packages and validate post-update build numbers against the thresholds above.
Business impact follows the data SharePoint holds. Successful chaining can yield document theft, long-lived persistence via machine keys and deserialization, and staging for ransomware against systems many organizations still treat as “intranet only” even when externally reachable.
Official guidance
Microsoft’s primary fix is the July 14, 2026 SharePoint security update for each supported version. CISA urges organizations to apply those updates, verify successful installation, enable AMSI integration for each SharePoint web application with Request Body Scan Mode set to Full where feasible, and treat AMSI as mitigation and detection—not a full substitute for the security update.
Hunt across historical telemetry, not only post-patch alerts, for anomalous SharePoint/IIS requests (especially ToolPane-related traffic and suspicious POST bodies), worker-process anomalies, web shells, machine-key access or harvesting, and new accounts or configuration changes that pre-date July 14.
Actionable recommendations
Immediate (hours)
Inventory every on-premises SharePoint farm, including forgotten project and partner portals, and record internet exposure and build numbers.
Apply the SharePoint-specific July 2026 security updates; verify builds meet or exceed the fixed thresholds in the table above.
Confirm AMSI Full Mode per web application and current Microsoft Defender signatures; search historical logs and EDR for ToolPaneAuthBypass, SuspSignoutReqBody, LeakFang, webshells, and machine-key access.
Same day to 48 hours
4. If compromise is suspected, hunt and remove artifacts first, then rotate IIS machine keys and follow improved ASP.NET view-state and key-management guidance. Rotating keys before cleaning harvesters can simply hand attackers the new material.
5. Remove direct internet exposure where possible. If external access is required, place SharePoint behind a Layer 7 reverse proxy that enforces authentication and inspects requests. Block external access to Central Administration and restrict farm and database communications to required systems.
This week
6. Plan migration off end-of-support 2016/2019 estates to Subscription Edition or managed alternatives; segment SharePoint, SQL, and management planes; mature event logging; tabletop a key-theft scenario so patch day is not the first time the team practices “patch does not equal clean.”
Priority
Action
Success criterion
P0
Inventory + SharePoint-specific patch
Builds ≥ fixed thresholds on all farms
P0
AMSI Full Mode + current MDAV
Detections active per web app
P0
Historical hunt
No unexplained ToolPane / LeakFang / webshell hits
P1
IR then key rotation if needed
Artifacts removed before new keys
P1
Reduce internet exposure
Auth-enforcing L7 control or no direct exposure
P2
EOS migration + segmentation
2016/2019 exit plan and isolated farm/SQL
Key takeaways
CVE-2026-56164 is a confirmed in-the-wild zero-day against on-premises SharePoint Server 2016, 2019, and Subscription Edition. Officially it is an unauthenticated network elevation of privilege via missing authentication; practically it is being chained toward remote code execution, IIS machine-key theft, and LeakFang-class post-exploitation. Patches are available as of July 14, 2026; CISA listed the CVE in KEV the same day with a short federal remediation window through July 17. SharePoint Online is out of scope. End of extended support for 2016 and 2019 on the same calendar day multiplies risk for residual farms.
If you run on-premises SharePoint, confirm build numbers at or above the fixed thresholds, AMSI Full Mode, and whether ToolPaneAuthBypass, SuspSignoutReqBody, LeakFang, or machine-key abuse already appear in historical telemetry. Patching alone is not proof of cleanliness—hunt first, then harden.