Number: AL26-017
Date: July 15, 2026
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security (Cyber Centre) is also available to provide additional assistance regarding the content of this Alert upon request.
Details
The Canadian Centre for Cyber Security (Cyber Centre) is aware of critical vulnerabilities affecting Microsoft SharePoint Server. In response to the Microsoft security advisory, released on July 14, 2026Footnote 1, the Cyber Centre issued AV26-698Footnote 2 on July 14, 2026.
Tracked as CVE-2026-55164Footnote 3, this vulnerability is a Missing Authentication for Critical Function (CWE-306)Footnote 4 vulnerability affecting multiple versions of Microsoft SharePoint Server, that could allow an unauthorized attacker to elevate privileges over a network.
Tracked as CVE-2026-55040Footnote 5Footnote 6, this vulnerability is a Weak Authentication (CWE-1390)Footnote 7 vulnerability affecting multiple versions of Microsoft SharePoint Server, that could allow an unauthorized attacker to bypass a security feature over a network.
Tracked as CVE-2026-58644Footnote 8, this vulnerability is a Deserialization of Untrusted Data (CWE-502)Footnote 9 vulnerability affecting multiple versions of Microsoft SharePoint Server, that could allow an unauthorized attacker to execute code over a network.
Microsoft is aware of exploitation of CVE-2026-56164 and other previously released SharePoint related vulnerabilities. CVE-2026-56164 was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalogFootnote 10 on July 14, 2026.
Suggested actions
The Cyber Centre recommends that organizations upgrade affected Microsoft SharePoint instances to a fixed version:
| Affected product | Affected versions | Fixed versions |
|---|---|---|
| Microsoft SharePoint Enterprise Server 2016 | 16.0.0 before 16.0.5561.1001 | 16.0.5561.1001 |
| Microsoft SharePoint Server 2019 | 16.0.0 before 16.0.10417.20175 | 16.0.10417.20175 |
| Microsoft SharePoint Server Subscription Edition | 16.0.0 before 16.0.19725.20434 | 16.0.19725.20434 |
The Cyber Centre recommends organizations:
- Identify all on-premises SharePoint Server instances, particularly those exposed to the internet
- Use or upgrade to supported versions of on-premises Microsoft SharePoint Server
- Apply the latest security updates from Microsoft to all affected SharePoint Servers including (Subscription Edition, 2019, and 2016)
- Monitor SharePoint servers for suspicious activity, including unusual requests, web shells, malicious processes, unauthorized access attempts, and machine key theft indicators
- Harden SharePoint Deployments:
- Enable Antimalware Scan Interface (AMSI) integration for SharePoint web applications
- Configure AMSI Request Body Scan Mode to Full Mode where operationally feasible
- Restrict or eliminate direct Internet exposure of SharePoint servers whenever possible
- Limit access to SharePoint Central Administration and management interfaces
- Monitor for Indicators of Compromise:
- Organizations should closely monitor SharePoint environments for:
- Unexpected privilege escalation activity
- Unauthorized authentication attempts
- Suspicious IIS machine key access
- Evidence of deserialization attacks or web shell deployment
- Microsoft Defender and AMSI detections related to SharePoint exploitation activity
- Organizations should closely monitor SharePoint environments for:
Important note: Microsoft SharePoint Enterprise Server 2016Footnote 11 and Server 2019Footnote 12 are end of life as of July 14, 2026. Organizations are urged to migrate to a supported version.
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre's Top 10 IT Security Actions with an emphasis on the following topicsFootnote 13.
- Patch operating systems and applications
- Harden operating systems and applications
- Isolate web-facing applications
Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal or email contact@cyber.gc.ca.