Back to Intelligence

CVE-2026-32201, CVE-2026-45659, CVE-2026-56164: SharePoint Server Active Exploitation — Detection and Hardening

SA
Security Arsenal Team
July 14, 2026
5 min read

On July 14, 2026, CISA issued an urgent alert regarding active exploitation of critical vulnerabilities affecting on-premises Microsoft SharePoint Servers. As senior consultants, we view this alert with high severity: the chaining of these flaws allows unauthenticated actors to achieve remote code execution (RCE), bypass authentication, and establish persistence within the enterprise environment.

The vulnerabilities in question—CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164—impact all supported on-premises versions, including SharePoint Server Subscription Edition, 2019, and 2016. This is not a theoretical risk; CISA has confirmed active exploitation involving the theft of Internet Information Services (IIS) machine keys and deserialization attacks to deploy malicious software.

Technical Analysis

The attack surface is broad because SharePoint is a prime target for initial access, often exposed to the internet for collaboration purposes.

Affected Products & Versions:

  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server 2016

The Attack Chain:

  1. Initial Access (Unauthenticated RCE): Threat actors leverage CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 to execute code on the SharePoint server without valid credentials.
  2. Credential Theft & Persistence: The primary post-exploitation objective observed in this campaign is the theft of IIS Machine Keys. These keys are used to encrypt forms authentication tickets and view state data. Possession of these keys allows an attacker to forge authentication cookies, effectively bypassing identity controls for the application pool.
  3. Deserialization & Payload Deployment: With machine keys in hand, attackers perform deserialization techniques (often leveraging .NET gadgets) to run arbitrary code in the context of the IIS application pool, leading to web shell deployment or ransomware staging.

Exploitation Status:

  • Status: Confirmed Active Exploitation (per CISA)
  • KEV Status: Likely imminent or added to CISA KEV catalog given the urgency.

Detection & Response

Defenders must assume that if the server was unpatched prior to the patch release, it may already be compromised. Detection must focus on the specific behavior of the IIS worker process (w3wp.exe) accessing sensitive cryptographic artifacts or spawning unusual child processes.

YAML
---
title: Potential SharePoint RCE - W3WP Spawning Shell
id: a1b2c3d4-5678-90ef-gh12-34567890ijkl
status: experimental
description: Detects w3wp.exe (SharePoint/IIS worker process) spawning cmd.exe or powershell.exe, indicative of web shell or RCE activity related to CVE-2026-32201, CVE-2026-45659, or CVE-2026-56164.
references:
  - https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.initial_access
  - attack.execution
  - attack.t1059.001
  - cve-2026-32201
  - cve-2026-45659
  - cve-2026-56164
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\w3wp.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate administrative debugging (rare)
level: critical
---
title: IIS MachineKeys Access by SharePoint Worker Process
id: b2c3d4e5-6789-01f2-hi34-56789012jklm
status: experimental
description: Detects unusual access to the IIS MachineKeys directory by the w3wp.exe process. Attackers stealing machine keys is a key TTP in the active SharePoint exploitation campaign.
references:
  - https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.credential_access
  - attack.t1003
  - cve-2026-32201
logsource:
  category: file_access
  product: windows
detection:
  selection:
    Image|endswith: '\w3wp.exe'
    TargetFilename|contains: '\MachineKeys\'
  condition: selection
falsepositives:
  - Rare; legitimate SharePoint operations usually do not read MachineKeys directly via w3wp in this manner.
level: high


**KQL (Microsoft Sentinel / Defender):**
KQL — Microsoft Sentinel / Defender
// Hunt for w3wp.exe spawning shells or accessing MachineKeys
let ProcessSpawn = DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, SHA256;
let FileAccess = DeviceFileEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where FolderPath contains @"\MachineKeys\"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, SHA256;
union ProcessSpawn, FileAccess


**Velociraptor VQL:**
VQL — Velociraptor
-- Hunt for w3wp.exe accessing MachineKeys or spawning shells
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ 'w3wp.exe'
  AND (CommandLine =~ 'MachineKeys' OR Exe =~ 'MachineKeys')

-- Check for recent modifications in MachineKeys directory
SELECT FullPath, Mtime, Atime, Size
FROM glob(globs='C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\*')
WHERE Mtime < now() - 24h


**Remediation Script (PowerShell):**
PowerShell
# Audit SharePoint Server for Indicators of Compromise related to CVE-2026-32201
# Checks for recent modifications to IIS MachineKeys and suspicious w3wp child processes.

$MachineKeyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"
$HoursToCheck = 24

Write-Host "[+] Checking for modifications in $MachineKeyPath in last $HoursToCheck hours..."
$ModifiedKeys = Get-ChildItem -Path $MachineKeyPath -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-$HoursToCheck) }

if ($ModifiedKeys) {
    Write-Host "[!] WARNING: Found recently modified Machine Keys:" -ForegroundColor Red
    $ModifiedKeys | Select-Object FullName, LastWriteTime, Length
} else {
    Write-Host "[+] No recent MachineKey modifications detected." -ForegroundColor Green
}

Write-Host "[+] Checking for w3wp.exe spawning suspicious processes..."
$SuspiciousParents = @('cmd.exe', 'powershell.exe', 'pwsh.exe')
$Processes = Get-WmiObject -Class Win32_Process | Where-Object { 
    $_.ParentProcessId -ne 0 -and 
    $_.Name -in $SuspiciousParents
}

foreach ($proc in $Processes) {
    $parent = Get-WmiObject -Class Win32_Process | Where-Object { $_.ProcessId -eq $proc.ParentProcessId }
    if ($parent.Name -eq 'w3wp.exe') {
        Write-Host "[!] WARNING: w3wp.exe (PID $($parent.ProcessId)) spawned $($proc.Name) (PID $($proc.ProcessId))" -ForegroundColor Red
        Write-Host "    Command: $($proc.CommandLine)"
    }
}

Write-Host "[+] Audit complete. Apply Microsoft Security Updates for July 2026 immediately if IoCs found."

Remediation

  1. Patch Immediately: Apply the latest security updates from Microsoft for SharePoint Server Subscription Edition, 2019, and 2016. These patches address CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164.
  2. Revoke IIS Machine Keys: If exploitation is suspected or confirmed, you must treat the IIS machine keys as compromised. Regenerate these keys and update the machineKey section in your web.config files for all affected web applications.
  3. Reset Application Pool Identities: Assume the attacker gained the privileges of the application pool identity. Reset credentials for any service accounts used by the SharePoint application pools.
  4. Network Segmentation: Ensure SharePoint servers are not directly accessible from the internet unless absolutely necessary. Implement strict firewall rules and Zero Trust Network Access (ZTNA) policies.
  5. Thunt for Persistence: Review IIS logs for unusual POST requests and check for web shells in C:\inetpub\wwwroot\ directories.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemsharepointcve-2026-32201cve-2026-45659cve-2026-56164ransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.