Back to Intelligence

CISA Warning: Active Exploitation of Critical SharePoint RCE Flaw

SA
Security Arsenal Team
July 3, 2026
5 min read

CISA issued a critical warning this Wednesday confirming that threat actors are actively exploiting a high-severity unauthenticated Remote Code Execution (RCE) vulnerability in Microsoft SharePoint. Although Microsoft released a patch for this flaw in May 2026, federal agencies and private sector organizations are reporting active compromise attempts, suggesting widespread scanning and exploitation of unpatched instances.

For defenders, this is a "drop everything" moment. An unauthenticated RCE in a web-facing service like SharePoint is a primary initial access vector for ransomware operations and data theft. The addition to the CISA Known Exploited Vulnerabilities (KEV) Catalog mandates immediate remediation for federal agencies and serves as a critical indicator for all organizations to prioritize patching above all other IT tasks.

Technical Analysis

Affected Platform: Microsoft SharePoint Server (On-Premises)

Vulnerability Type: Unauthenticated Remote Code Execution (RCE)

CVSS Severity: High/Critical (Specific score pending vendor disclosure, but CISA KEV listing implies significant impact)

The Vulnerability: The flaw resides in the SharePoint Server infrastructure. It allows an unauthenticated attacker to send a specially crafted HTTP request to a target server. Due to improper validation of specific input parameters within the web application stack, the server executes code in the context of the service account (typically the SharePoint farm account or System).

Attack Chain:

  1. Reconnaissance: Attackers scan for internet-facing SharePoint servers (port 443/80).
  2. Exploitation: A malicious HTTP POST request is sent to the vulnerable endpoint, triggering the deserialization or injection flaw.
  3. Execution: The server executes the attacker's payload.
  4. Persistence: Attackers often immediately install web shells (e.g., ASPX files) to maintain access, move laterally, or dump credentials.

Exploitation Status: Confirmed Active Exploitation. CISA has observed this vulnerability being used in the wild to gain initial access. While the patch has been available since May 2026, the lag in patching cycles has provided a lucrative window of opportunity for attackers.

Detection & Response

Given the active exploitation, defenders must assume compromise if the system was unpatched after May 2026. The following detection rules focus on the post-exploitation behavior typical of SharePoint RCE attacks, specifically the spawning of shells by the IIS worker process.

Sigma Rules

YAML
---
title: SharePoint RCE - Suspicious Process Spawn by w3wp.exe
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects potential exploitation of SharePoint RCE via IIS worker process spawning a command shell or PowerShell. 
references:
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/05/21
tags:
  - attack.initial_access
  - attack.t1190
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\w3wp.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate administrative scripts (rare for w3wp to spawn these directly)
level: high
---
title: SharePoint Web Shell Indicator - ASPX File Creation
id: b2c3d4e5-6789-01ab-cdef-234567890bcd
status: experimental
description: Detects creation of new ASPX files in SharePoint directories, a common method for web shell persistence.
references:
  - https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/05/21
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
  category: file_creation
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\inetpub\wwwroot\'
      - '\_layouts\'
      - '\_vti_bin\'
    TargetFilename|endswith: '.aspx'
  filter:
    User|contains:
      - 'AUTHORI'
      - 'ADMIN'
  condition: selection and not filter
falsepositives:
  - Legitimate SharePoint deployment or custom development updates
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious child processes of IIS worker process (w3wp.exe)
// indicative of web shell or RCE activity
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where FileName in~ ("powershell.exe", "cmd.exe", "cscript.exe", "wscript.exe", "powershell_ise.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessId, FolderPath
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for w3wp.exe spawning command interpreters
SELECT Pid, Name, CommandLine, Exe, Username, StartTime
FROM pslist()
WHERE ParentName =~ 'w3wp.exe'
  AND Name IN ('cmd.exe', 'powershell.exe', 'pwsh.exe')

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    SharePoint Server Health Check for May 2026 RCE Patch.
.DESCRIPTION
    This script assists in identifying the SharePoint Build Version to verify
    if the May 2026 security updates have been applied.
    Note: Defenders must verify the build version against the specific
    Security Advisory released in May 2026.
#>

Write-Host "Checking SharePoint Farm Build Version..." -ForegroundColor Cyan

try {
    # Check if SharePoint Snapin or Module is available
    if (Get-PSSnapin -Registered -Name Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue) {
        Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction Stop
        
        $farm = Get-SPFarm
        $build = $farm.BuildVersion
        
        Write-Host "Current SharePoint Build Version: $($build)" -ForegroundColor Yellow
        Write-Host " "
        Write-Host "ACTION REQUIRED:" -ForegroundColor Red
        Write-Host "Please compare the output above against the May 2026 Security Update Advisory." 
        Write-Host "If the build version is older than the May 2026 update, you are vulnerable." 
    }
    else {
        Write-Warning "Microsoft.SharePoint.PowerShell snapin not found on this machine."
        Write-Host "Please run this script directly on a SharePoint Front-End server."
    }
}
catch {
    Write-Error "An error occurred: $_"
}

Remediation

  1. Patch Immediately: Apply the security updates released by Microsoft in May 2026. Do not wait for a standard maintenance window.
  2. Verify Patching: Use the PowerShell script above or the SharePoint Central Administration dashboard to confirm the build version matches the patched security baseline.
  3. Internet-Facing Exposure: If immediate patching is not possible, restrict access to SharePoint servers from the internet via firewall rules or VPN enforcement until the patch is deployed.
  4. Hunt for Web Shells: Assume compromise if the server was exposed and unpatched. Conduct a thorough scan for newly created ASPX, ASP, or ASHX files in the web directories (C:\inetpub\wwwroot, C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions).
  5. CISA KEV Compliance: Federal agencies have a mandated deadline (typically within 3 weeks of CISA KEV addition) to patch this vulnerability.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuremicrosoft-sharepointcisa-kevactive-exploitationrceweb-shells

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.