Alert - AL26-017 - Critical vulnerabilities impacting Microsoft SharePoint Server – CVE-2026-56164, CVE-2026-55040 and CVE-2026-58644

Number: AL26-017
Date: July 15, 2026

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security (Cyber Centre) is also available to provide additional assistance regarding the content of this Alert upon request.

Details

The Canadian Centre for Cyber Security (Cyber Centre) is aware of critical vulnerabilities affecting Microsoft SharePoint Server. In response to the Microsoft security advisory, released on July 14, 2026Footnote 1, the Cyber Centre issued AV26-698Footnote 2 on July 14, 2026.

Tracked as CVE-2026-55164Footnote 3, this vulnerability is a Missing Authentication for Critical Function (CWE-306)Footnote 4 vulnerability affecting multiple versions of Microsoft SharePoint Server, that could allow an unauthorized attacker to elevate privileges over a network.

Tracked as CVE-2026-55040Footnote 5Footnote 6, this vulnerability is a Weak Authentication (CWE-1390)Footnote 7 vulnerability affecting multiple versions of Microsoft SharePoint Server, that could allow an unauthorized attacker to bypass a security feature over a network.

Tracked as CVE-2026-58644Footnote 8, this vulnerability is a Deserialization of Untrusted Data (CWE-502)Footnote 9 vulnerability affecting multiple versions of Microsoft SharePoint Server, that could allow an unauthorized attacker to execute code over a network.

Microsoft is aware of exploitation of CVE-2026-56164 and other previously released SharePoint related vulnerabilities. CVE-2026-56164 was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalogFootnote 10 on July 14, 2026.

Suggested actions

The Cyber Centre recommends that organizations upgrade affected Microsoft SharePoint instances to a fixed version:

Affected product Affected versions Fixed versions
Microsoft SharePoint Enterprise Server 2016 16.0.0 before 16.0.5561.1001 16.0.5561.1001
Microsoft SharePoint Server 2019 16.0.0 before 16.0.10417.20175 16.0.10417.20175
Microsoft SharePoint Server Subscription Edition 16.0.0 before 16.0.19725.20434 16.0.19725.20434

The Cyber Centre recommends organizations:

  • Identify all on-premises SharePoint Server instances, particularly those exposed to the internet
  • Use or upgrade to supported versions of on-premises Microsoft SharePoint Server
  • Apply the latest security updates from Microsoft to all affected SharePoint Servers including (Subscription Edition, 2019, and 2016)
  • Monitor SharePoint servers for suspicious activity, including unusual requests, web shells, malicious processes, unauthorized access attempts, and machine key theft indicators
  • Harden SharePoint Deployments:
    • Enable Antimalware Scan Interface (AMSI) integration for SharePoint web applications
    • Configure AMSI Request Body Scan Mode to Full Mode where operationally feasible
    • Restrict or eliminate direct Internet exposure of SharePoint servers whenever possible
    • Limit access to SharePoint Central Administration and management interfaces
  • Monitor for Indicators of Compromise:
    • Organizations should closely monitor SharePoint environments for:
      • Unexpected privilege escalation activity
      • Unauthorized authentication attempts
      • Suspicious IIS machine key access
      • Evidence of deserialization attacks or web shell deployment
      • Microsoft Defender and AMSI detections related to SharePoint exploitation activity

Important note: Microsoft SharePoint Enterprise Server 2016Footnote 11 and Server 2019Footnote 12 are end of life as of July 14, 2026. Organizations are urged to migrate to a supported version.

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre's Top 10 IT Security Actions with an emphasis on the following topicsFootnote 13.

  • Patch operating systems and applications
  • Harden operating systems and applications
  • Isolate web-facing applications

Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal or email contact@cyber.gc.ca.

References

Date modified: