Microsoft SharePoint Server contains a missing-authentication flaw (CWE-306) that lets an unauthorized attacker elevate privileges over the network, and CISA has confirmed it is being actively exploited.
What Is It
CVE-2026-56164 is a "missing authentication for critical function" vulnerability in Microsoft Office SharePoint. Per the NVD description, it "allows an unauthorized attacker to elevate privileges over a network." The flaw is network-reachable, requires no privileges, and needs no user interaction (attack vector: network; attack complexity: low; PR:None; UI:None).
The record carries two divergent scores. Microsoft's secondary CVSS 3.1 rating is 5.3 (MEDIUM), reflecting low integrity impact only. The NVD primary rating is 9.8 (CRITICAL), reflecting high confidentiality, integrity, and availability impact. CISA's SSVC assessment marks exploitation as "active," automatable as "yes," and technical impact as "partial."
Why It Matters
CISA added CVE-2026-56164 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-07-14, confirming active exploitation in the wild. Because the vulnerability is unauthenticated, network-accessible, and, per SSVC, automatable, it is well suited to opportunistic, at-scale attacks against internet-exposed SharePoint deployments. Known ransomware campaign use is currently listed as "Unknown."
What's Vulnerable
The following on-premises products (x64-based systems) are affected:
- Microsoft SharePoint Enterprise Server 2016: versions below 16.0.5561.1001
- Microsoft SharePoint Server 2019: versions below 16.0.10417.20175
- Microsoft SharePoint Server Subscription Edition: versions below 16.0.19725.20434
Patch Status
CISA's required action: apply mitigations per Microsoft's instructions in line with BOD 26-04 (Prioritizing Security Updates Based on Risk) and CISA's "Forensics Triage Requirements." Follow applicable BOD 26-04 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure and adhere to BOD 26-04 patching guidelines. The remediation due date is 2026-07-17. Update to at or above the fixed build for your edition (listed above); consult the MSRC advisory for update details.
Sources
- MSRC Advisory (CVE-2026-56164), https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-56164
- NVD Detail (CVE-2026-56164), https://nvd.nist.gov/vuln/detail/CVE-2026-56164
- CISA KEV Catalog; https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-56164
- CISA BOD 26-04; https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk