AI Cybersecurity Threats
I’ve seen this movie before. It’s not a new script. It’s the same damn scene: Microsoft drops patches on Patch Tuesday, and by Wednesday morning, threat actors are already dancing on the corpses of unpatched SharePoint servers.
CISA’s alert this week isn’t a surprise—it’s a confirmation. Three vulnerabilities—CVE-2026-32201, CVE-2026-45659, CVE-2026-56164—are being weaponized in the wild. Not in theory. Not in a lab. Right now. Attackers are bypassing authentication, executing remote code, and stealing IIS machine keys to maintain persistence. This isn’t a "maybe". This is a "you’re already compromised if you’re still running unpatched".
And here’s the kicker: we’ve known about this pattern since November 2021. Eleven SharePoint vulnerabilities have been exploited since then. Seven of them? Ransomware. Seven. And yet, here we are again.
Shadowserver reports nearly 10,000 SharePoint servers exposed to the internet. Over 800 of them? Still unpatched against the top two CVEs. That’s not negligence. That’s a fucking invitation.
I’m not here to lecture you about patching cycles. I’m here to tell you that if you’re still running SharePoint Server on-premises and haven’t patched by July 17, you’re not just at risk—you’re already in the kill zone. BOD 26-04 gives federal agencies until tomorrow to either patch or shut down. If you’re in the private sector and you’re still waiting for approval, you’re already behind.
The exploit chain is brutal. It starts with an authentication bypass. That’s the front door. Then comes the RCE—remote code execution. That’s the key in your hand. And then? The machine key theft. That’s the master key to your entire farm. Once they’ve got that, they can decrypt any traffic, forge any session, and move laterally like ghosts. You can’t just re-patch and call it done. You have to assume they’re already inside.
The mitigation advice? Patch. Obviously. But also: enable AMSI for SharePoint web apps. Run MDAV. Hunt for intrusion artifacts before rotating those IIS machine keys. And for God’s sake, stop exposing SharePoint directly to the internet. Put it behind a reverse proxy. Lock down Central Administration. Restrict farm communication. This isn’t just security hygiene—it’s survival.
This isn’t about being paranoid. It’s about being awake. The next ransomware gang isn’t waiting for your next audit. They’re already scanning. They’ve already mapped your network. And they’re waiting for you to click "Update".
The question isn’t whether you’ll be targeted. It’s whether you’ll be ready when they come.
The Three Flaws: How Authentication Bypass Leads to Full Domain Takeover
Let’s cut through the noise. These aren’t just CVE numbers. They’re a death sentence if left unaddressed.
CVE-2026-32201 is the opener. It’s an authentication bypass in SharePoint’s request handling. No password. No MFA. Just a malformed HTTP header and you’re in. Microsoft patched it in July 2026, but CISA added it to the Known Exploited Vulnerabilities list back in April. That’s three months of open season.
CVE-2026-45659 is the payload. Once they’re inside, attackers use this to execute arbitrary code. Think: PowerShell scripts, webshells, backdoors. This isn’t a minor leak—it’s full system compromise. And it’s been weaponized since July 1.
Then there’s CVE-2026-56164—the silent killer. It’s not just about gaining access. It’s about persistence. This flaw lets attackers steal the IIS machine key, which is used to encrypt session cookies, view state, and authentication tickets across the entire SharePoint farm. Steal that key, and you can impersonate any user, any admin, any service account. You don’t need to hack again. You just log in.
CISA added this one on July 14. That means federal agencies have until tomorrow to patch it under BOD 26-04. If you’re not patched by then, you’re not just vulnerable—you’re already owned.
And here’s what nobody’s talking about: these aren’t standalone bugs. They’re a chain. Bypass → Execute → Persist. It’s a kill chain designed by someone who’s been here before. Someone who knows that most organizations patch the first flaw, then assume they’re safe. They’re not. The second flaw lets them plant a backdoor. The third lets them never leave.
I’ve seen this play out in enterprise environments. One team patches CVE-2026-32201. Another team says, "We’re good." But the attacker’s shell is already running. The machine key is already exfiltrated. And now they’re sitting in your Exchange server, your Active Directory, your SQL databases—all because someone thought "patching one CVE" was enough.
This isn’t about technical complexity. It’s about organizational blindness. You can’t fix what you refuse to see.
The 800 Unpatched Servers and the Silent Majority
Let’s talk about the numbers. Shadowserver tracks nearly 10,000 SharePoint servers exposed to the internet. That’s not a typo. Ten thousand.
Of those, over 800 remain unpatched against CVE-2026-32201 and CVE-2026-45659. That’s 8% of the exposed surface—and that’s just the ones we know about. How many are behind corporate firewalls? How many are in legacy environments nobody remembers? How many are running in departments that haven’t updated since 2019?
I’ve been in those rooms. The finance team says, "We use SharePoint for expense reports. It’s just a form." The HR team says, "It’s for employee handbooks. No one touches it." The IT team says, "We don’t own it. It’s a legacy app." And then the breach happens. And suddenly, someone remembers: oh right, SharePoint has a SQL backend. And it’s connected to Active Directory. And it’s been exposed since 2017.
The truth? Most of those 800 unpatched servers aren’t being targeted by sophisticated nation-states. They’re being hit by script kiddies with automated scanners. But here’s the thing: those script kiddies don’t care if you’re important. They just want a foothold. And once they’ve got it, they sell it. Or they use it to pivot to your ERP. Or your CRM. Or your cloud storage.
And the worst part? We don’t even know how many are vulnerable to CVE-2026-56164. Because it’s new. Because it’s July 14. Because nobody’s had time to scan.
This isn’t a vulnerability. It’s a systemic failure. We’re not just failing to patch. We’re failing to prioritize. We’re treating security like an IT ticket, not a survival protocol.
If you’re running SharePoint Server on-premises, you’re not just managing a tool. You’re managing a liability. And if you’re still ignoring it, you’re not just risky—you’re reckless.
Beyond Patching: Hardening, Logging, and the Art of Assuming Compromise
Patching isn’t the end. It’s the bare minimum.
If you’ve patched the three CVEs, congratulations. You’ve stopped the initial breach. But you haven’t stopped the attack.
Attackers aren’t just after the machine key. They’re after the logs. They’re after the service accounts. They’re after the cached credentials. They’re after the backup files. And if you think your antivirus will catch them, you’re delusional.
Here’s what you need to do now:
- Enable AMSI for SharePoint web applications. Microsoft Defender Antivirus (MDAV) can detect malicious PowerShell scripts, but only if AMSI is active. It’s not enabled by default. Turn it on.
- Hunt for intrusion artifacts before rotating IIS machine keys. If you rotate the keys without hunting first, you’re just giving the attacker a new key. You need to find their backdoors, their webshells, their scheduled tasks. Use Sysmon. Use EDR. Use a forensic tool that doesn’t trust the OS.
- Establish tailored logging. Monitor for anomalous activity: unusual file creation in the SharePoint root, unexpected PowerShell execution, outbound connections to known C2 domains. Don’t just rely on SIEM alerts—build your own.
- Avoid direct internet exposure. If you don’t need it exposed, don’t expose it. If you do, put it behind a Layer 7 reverse proxy. Use WAF rules. Block access to Central Administration from the internet. Period.
- Review Microsoft’s SharePoint Server security-hardening guidance. Seriously. Read it. It’s not optional. It’s your last line of defense.
And here’s the hard truth: if you’re still relying on Microsoft’s default settings, you’re already compromised. Default configurations are for labs. Not production.
I’ve seen organizations patch the CVEs, then say, "We’re good." And then, two weeks later, they get hit by ransomware. Because the attacker was already inside. Because they used the machine key to decrypt a backup. Because they used a compromised service account to escalate to domain admin.
Patching is the first step. But the real work? That’s the hunting. That’s the logging. That’s the assumption that you’re already breached.
Because you probably are.
The Federal Deadline: BOD 26-04 and the Cost of Delay
July 17, 2026. That’s the deadline. Not a suggestion. Not a recommendation. A Binding Operational Directive from CISA. Federal agencies must patch CVE-2026-56164 by then—or shut down their SharePoint servers.
That’s it. No extensions. No exceptions. No "we’re working on it." This isn’t a policy—it’s a mandate. And it’s not just for IT. It’s for every agency head. Every CIO. Every CFO who thinks security is a cost center.
Why such a hard line? Because this isn’t a drill. This is the third time this year CISA has issued a BOD for a SharePoint flaw. And each time, the same damn thing happens: organizations wait. They delay. They assume they’re not a target. And then they get hit.
And the cost? It’s not just dollars. It’s trust. It’s data. It’s reputational damage. It’s the loss of public confidence. And it’s the fact that your employees’ personal information is now on the dark web.
The private sector? We’re not bound by BOD 26-04. But we’re bound by the same reality. If you’re not patched by tomorrow, you’re not just at risk—you’re already a target. And the attackers know it.
This isn’t about compliance. It’s about survival. And if you’re still waiting for approval from legal or procurement, you’re already too late.
The clock isn’t ticking. It’s already run out.
The Bigger Picture: 11 Exploited SharePoint Flaws Since 2021
Let’s put this in perspective.
Since November 2021, CISA has flagged 11 SharePoint vulnerabilities that have been exploited in real-world attacks. Seven of them? Used in ransomware campaigns.
Seven.
That’s not a coincidence. That’s a pattern.
SharePoint is the perfect target. It’s everywhere. It’s often forgotten. It’s got deep integration with Active Directory, Exchange, and SQL Server. And it’s rarely monitored.
Attackers don’t need to hack your firewall. They don’t need to phish your executives. They just need to find one unpatched SharePoint server—and they’ve got the keys to the kingdom.
And what’s the response? More patches. More alerts. More "urgent" emails.
But nothing changes.
We keep treating these as isolated incidents. But they’re not. They’re symptoms of a deeper disease: we’ve outsourced security to Microsoft. We assume that because it’s Microsoft, it’s secure. That’s the biggest lie in enterprise IT.
Microsoft releases patches. But they don’t enforce them. They don’t monitor them. They don’t care if you’re still running SharePoint 2016.
The responsibility? It’s yours.
And if you’re still waiting for someone else to fix it, you’re not just behind—you’re already dead.