Blog / INTPublic file

Active SharePoint exploitation targets IIS machine keys

CISA reports remote code execution, machine-key theft, deserialization-based persistence, and malware deployment across supported on-premises SharePoint Server editions.

Detection evidence

Active SharePoint exploitation targets IIS machine keys

CISA reports active exploitation of CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 against on-premises SharePoint Server. The vulnerabilities affect all supported editions, including Subscription Edition, 2019, and 2016. Threat actors have used the access for remote code execution, theft of IIS machine keys, deserialization-based persistence, and malware deployment.

CISA added CVE-2026-32201 to the Known Exploited Vulnerabilities Catalog on 14 April 2026, CVE-2026-45659 on 1 July, and CVE-2026-56164 on 14 July. The agency also identified CVE-2026-55040 and CVE-2026-58644 as patching priorities, while stating that those two vulnerabilities were not known to be exploited when the alert was published.

Exploitation reaches the SharePoint application process

The alert does not identify the initial request sequence or attribute the activity to a named actor. It confirms that exploitation gives attackers unauthorized access to internet-facing SharePoint instances and enables remote code execution. That foothold places attacker-controlled execution in the IIS application context used by SharePoint.

Post-exploitation activity includes access to IIS machine keys. ASP.NET uses those secrets to protect application state. A stolen key can allow an actor to construct data that passes integrity checks, supporting later deserialization attempts and persistence even after the original vulnerable request path is patched. CISA advises organizations to hunt for machine-key harvesters and other intrusion artifacts before rotating the keys, because an unremediated foothold can steal the replacements again.

CISA also reports malware deployment after exploitation. The alert does not provide actor infrastructure, request samples, filenames, hashes, or a victim count. Those gaps limit campaign clustering, while the confirmed behavior still supports urgent server-level investigation.

Process lineage provides a durable detection point

The included Sigma rule detects w3wp.exe starting cmd.exe, PowerShell, or Windows script hosts. CISA specifically recommends reviewing suspicious SharePoint worker-process activity after the reported remote code execution. The rule translates that guidance into a behavior-based analytic that does not depend on an IP address, domain, file hash, or vulnerability-specific request pattern.

An alert requires investigation rather than automatic confirmation. Administrators can build approved SharePoint extensions or maintenance processes that start interpreters. Triage should establish the application pool identity, full command line, parent process, initiating request, child network activity, file writes, and any access to machine-key material. The process behavior maps to PowerShell (T1059.001) or Windows Command Shell (T1059.003) when the relevant interpreter is present. Exploitation of an internet-facing SharePoint application maps to Exploit Public-Facing Application (T1190).

CISA lists four Microsoft detections for additional coverage. Exploit:Script/SuspSignoutReqBody.A covers request-body scanning on SharePoint Server Subscription Edition. Exploit:Script/ToolPaneAuthBypass.A covers request-header scanning, and Exploit:Script/ToolPaneAuthBypass.C covers remote-code-execution activity across SharePoint Server 2016, 2019, and Subscription Edition. Backdoor:MSIL/LeakFang.A!dha addresses post-exploitation access to IIS-protected secrets.

The accompanying experimental hunt broadens the process alert to worker-process activity associated with interpreters, machine-key or configuration access, and changes to SharePoint or IIS application files. It requires endpoint process and file telemetry plus IIS and identity context. Approved farm maintenance, application deployment, and key rotation can produce matches and must be checked against change records.

Telemetry and remediation priorities

SharePoint operators should apply the latest Microsoft updates and verify successful installation. AMSI integration should be enabled for every SharePoint web application, with Full Mode request-body scanning where the edition and operating requirements permit it. Internet exposure should be removed when it is unnecessary. Required external access should pass through an authenticated Layer 7 reverse proxy or equivalent control that can inspect requests.

Central Administration should remain inaccessible from external networks. Farm and database communication should be restricted to required systems. Security teams need off-host retention for IIS requests, Windows process creation, PowerShell, Windows Application events, file changes under the web root, antimalware detections, and access to configuration or machine-key material.

When compromise is suspected, responders should preserve evidence, identify persistence, remove web shells or harvesters, and validate the application state before rotating IIS machine keys. Key rotation is part of remediation after the foothold has been removed.

Scope and limitations

This analysis relies on one authoritative CISA alert. It establishes active exploitation and the affected SharePoint editions, but it does not identify the actors, affected organizations, exploitation volume, or infrastructure. The included Sigma rule covers one post-exploitation process pattern. It will not detect deserialization that remains within the IIS worker process, theft performed without a child interpreter, or activity on servers that lack complete process lineage.

Sources

Sources

Evidence register
  1. CISA Urges SharePoint Hardening After New Exploitationsprimary

Relationships

Related files