SharePoint's 5.3 that isn't: an unauthenticated privilege bug already exploited in the wild (CVE-2026-56164)
A missing-authentication elevation-of-privilege in on-prem SharePoint — a Medium CVSS on CISA's KEV list, found in live intrusions

Microsoft's July 2026 Patch Tuesday shipped a fix for a SharePoint bug that scores as a middling Medium — and yet Google's incident responders found it being used in real intrusions, and CISA added it to the Known Exploited Vulnerabilities catalog the same day. The reason the two signals disagree is worth understanding, because if you triage on the base score alone you will file this one under later and be wrong. The flaw is a missing authentication check on a privileged SharePoint function (CWE-306): a request that should require a logged-in, authorized user doesn't, so an anonymous attacker on the network can reach it and elevate their privilege inside the server.
Scores as of 2026-07-16live record →
What the flaw actually is
SharePoint Server is a large web application with a rich internal privilege model — site collections, farm administrators, service accounts. Some operations are meant to be gated behind authentication and authorization. This vulnerability is exactly what **CWE-306, Missing Authentication for Critical Function, describes: one of those privileged operations is reachable over the network without the check that should protect it**. Microsoft's own description is terse — "Missing authentication for critical function in Microsoft Office SharePoint allows an unauthorized attacker to elevate privileges over a network" — and the CVSS vector AV:N/AC:L/PR:N/UI:N confirms the shape: network-reachable, low complexity, no privileges and no user interaction required. It is pre-auth and zero-click.
Why a 5.3 can still be an emergency
The base score is dragged down by its impact metrics: C:N/I:L/A:N — no confidentiality or availability impact, only low integrity. On paper that reads as "an attacker can make a limited unauthorized change." But a CVSS base score is a severity proxy, not a prioritization verdict, and it doesn't know that this particular bug is unauthenticated, that it landed in a product already under sustained attack, and that defenders caught it mid-intrusion. The signals that actually decide urgency all point the other way.
| Signal | Value | What it tells you |
|---|---|---|
| CVSS base | 5.3 (Medium) | Integrity-only — understates the risk here |
| Authentication | None required | Anyone who can reach the server can try it |
| CISA KEV | Listed 2026-07-14 | Confirmed exploited; treat as patch-now |
| In the wild | Yes — found by Google/Mandiant IR | Discovered inside real attacks, not a lab |
| EPSS | ~7% (~93rd percentile) | Elevated vs. the CVE population, and likely to climb |
| Deadline | 2026-07-17 (BOD 26-04) | Federal 3-day window — a strong market signal |
The exploitation chain
The path from the open internet to a persisted foothold is short, and — importantly — it doesn't end at the privilege escalation. In the wider SharePoint campaigns running through 2026, operators use a foothold to steal the server's ASP.NET machine keys, then forge authentication tokens (__VIEWSTATE) so they can walk back in even after you patch. That is why the fix is patch, then rotate keys, not just patch. The diagram traces the chain and marks the three places worth spending effort to break it. (The precise pre-auth step is drawn as the undisclosed function, not the unverified technique from the rumor mill.)
CVE-2026-56164 — unauthenticated missing-auth EoP on on-prem SharePoint
- Missing-auth EoP (CWE-306) — unauth, KEV, exploited — A privileged SharePoint function reachable over the network with no authentication. Starting point: an attacker who can reach the server.
- Find internet-facing on-prem SharePoint — Enumerate exposed 2016/2019/Subscription-Edition farms via Shodan/Censys or the MicrosoftSharePointTeamServices build header. SharePoint Online is not affected.
- Reach the unauthenticated critical function — Invoke the privileged operation that is missing its auth gate (CWE-306). Exact vulnerable function not publicly disclosed by Microsoft.
- Elevate privilege inside SharePoint — Gain a privileged context in the farm (integrity impact). This is the EoP itself — CVSS 5.3, but the door to everything below.
- Chain to persistence / RCE? — A missing-auth EoP alone does not imply RCE. But in the observed campaigns it is chained with other SharePoint bugs and post-exploitation tradecraft.
- Steal ASP.NET machine keys → forge VIEWSTATE → web shell — The ToolShell playbook: exfiltrate ValidationKey/DecryptionKey, forge __VIEWSTATE tokens, drop web shells — persistence that survives a patch. T1552.004 / T1606.001 / T1505.003.
- Durable foothold on the farm — Attacker retains access even after the CVE is patched, until machine keys are rotated and web shells removed.
- PREVENT: keep farms off the raw internet; block external Central Admin — Shrinking reachability removes the attacker's first step. CISA explicitly recommends blocking external access to Central Administration.
- PATCH (the real fix): July 14 2026 update + run PSConfig — Install the July 2026 CU for your SKU and run the Products Configuration Wizard. This removes the missing-auth code path.
- CONTAIN: hunt, then rotate ASP.NET machine keys + iisreset — Because persistence rides on stolen keys, patching alone isn't enough on a previously-exposed farm. Hunt first, then rotate keys and restart IIS.
Am I affected?
This is an on-premises bug. SharePoint Online (Microsoft 365) is not affected. If you run on-prem SharePoint Server 2016, 2019, or Subscription Edition, you are in scope until you're on the July 2026 build. Confirm the farm build with (Get-SPFarm).BuildVersion — but cross-check against Manage patch status in Central Administration, because the farm build only reflects updates that carry a config-DB schema change.
| Product | July 2026 KB(s) | Fixed build |
|---|---|---|
| SharePoint Server Subscription Edition | KB5002882 | 16.0.19725.20434 |
| SharePoint Server 2019 | KB5002883 + KB5002885 | 16.0.10417.20175 |
| SharePoint Enterprise Server 2016 | KB5002891 + KB5002892 | 16.0.5561.1001 |
Exploited in the wild — and part of a bigger wave
On-prem SharePoint has been under sustained assault since the 2025 ToolShell zero-days, and this bug is a beat in that same rhythm. Microsoft flags exploitation as Detected and credits discovery to Google/Mandiant incident responders and the FLARE team — which means it was found inside live intrusions. Note the honest limit: the exploited status rests on Microsoft's flag plus CISA's KEV listing; a public, independent technical confirmation with 56164-specific indicators had not appeared as of this writing. That's a reason to patch, not to relax.
CVE-2026-56164 — the wave and the clock
- ToolShell wave beginsMass exploitation of on-prem SharePoint (CVE-2025-53770 and friends); later tied to China-nexus actors and Warlock ransomware.source
- SharePoint RCE CVE-2026-45659 added to KEVAn earlier beat in the 2026 wave — a deserialization RCE tied to the same activity cluster.source
- Published, patched, flagged ExploitedJuly Patch Tuesday ships the fix; Microsoft marks exploitation Detected; SharePoint 2016/2019 reach end of extended support.source
- Added to CISA KEVCISA issues a SharePoint hardening alert and sets a BOD 26-04 remediation deadline.source
- Federal remediation deadlineBOD 26-04 requires federal civilian agencies to patch or discontinue affected SharePoint — a strong signal for everyone else.source
Detection & hunting
There is no verified CVE-specific signature — no public PoC, no Nuclei template, no vendor detection rule. So hunting targets the outcome of an elevation-of-privilege and the post-exploitation tradecraft seen across the wave, not the (unverified, and hard-to-log) request itself. CISA points defenders at authentication records, web-server logs, SharePoint audit events, admin-account changes, suspicious processes, unexpected scheduled tasks, and web shells.
- Watch privileged group changes on SharePoint/IIS hosts: Windows Security Event IDs 4728 / 4732 / 4756 (member added to a security-enabled group) — flag unexpected additions to Farm or Site Collection Administrators.
- Watch new accounts / privileges: Event 4720 (account created) and 4672 (special privileges assigned) around the same window.
- Hunt for web shells: new
.aspxfiles under theLAYOUTSdirectory or web-app roots, and suspiciousw3wp.exechild processes. - Assume-breach on keys: any sign of ASP.NET machine-key theft means forged tokens are possible — rotate keys (below) after hunting.
- Patch state, not exploit: in Microsoft Defender,
DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2026-56164"lists hosts still missing the fix.
What to do now
- Inventory every on-prem SharePoint farm and read its build — internet-facing ones first.
- Patch to the July 14, 2026 update for your SKU and run PSConfig — the fix isn't active until the configuration wizard completes.
- Harden while you patch: enable AMSI Full-mode body scanning, block external access to Central Administration, and keep farms off the raw internet.
- Hunt, then rotate machine keys on any farm that was internet-exposed — patching alone won't evict an attacker who already stole your keys — then
iisreset. - Verify fleet-wide that every farm is at or above the fixed build, and start planning the 2016/2019 migration.
FAQ
Is CVE-2026-56164 being exploited?
Why is a KEV-listed, exploited bug only scored 5.3?
C:N/I:L/A:N), which drags the base number down. But the base score is a severity proxy, not a priority verdict — it doesn't account for the bug being unauthenticated, exploited, and in a heavily-targeted product. Treat it as patch-now.I use SharePoint Online (Microsoft 365). Am I affected?
Is patching enough?
Sources
- Microsoft MSRC — CVE-2026-56164 advisory
- NVD — CVE-2026-56164
- CISA — Known Exploited Vulnerabilities catalog
- CISA — Urges SharePoint hardening after new exploitations (2026-07-14)
- BleepingComputer — CISA warns admins to patch actively exploited SharePoint flaws
- Orca Security — Microsoft July 2026 Patch Tuesday: SharePoint zero-day
- Help Net Security — Microsoft Patch Tuesday, July 2026 (SharePoint)
- Tenable — Microsoft's July 2026 Patch Tuesday
- Microsoft — KB5002882 (SharePoint Subscription Edition, July 2026)
- Microsoft — Configure AMSI integration for SharePoint Server
- Microsoft Security Blog — Disrupting active exploitation of on-prem SharePoint (ToolShell, 2025)