Critical (9.8) Actively Exploited

SharePoint privilege escalation exploited (CVE-2026-56164)

CVE-2026-56164

CVE-2026-56164: Critical unauthenticated privilege escalation in Microsoft Office SharePoint (CVSS 9.8) actively exploited. Apply Microsoft's security patch immediately.

Affected: Microsoft Sharepoint Server

Actively exploited in the wild - CVE-2026-56164 is a critical missing authentication flaw in Microsoft Office SharePoint that lets an unauthenticated attacker elevate privileges over the network with no user interaction. Patched in the June 2026 security update - apply immediately.

Overview

CVE-2026-56164 is a critical vulnerability in Microsoft Office SharePoint that stems from missing authentication for a critical function. The flaw carries a CVSS score of 9.8 and requires no privileges, no user interaction, and can be exploited over the network. Because SharePoint is widely deployed for internal collaboration and document management, this vulnerability presents a severe risk to enterprise environments.

Impact

An unauthenticated attacker can exploit this vulnerability to elevate their privileges on the target SharePoint server. Successful exploitation grants the attacker the same permissions as a high-privilege SharePoint user, potentially allowing them to access, modify, or exfiltrate sensitive documents, manage site collections, and pivot to other systems within the network. Given the confirmed active exploitation, organizations should treat this as an immediate threat.

Affected Products

Microsoft Office SharePoint Server. Organizations should consult the vendor advisory for the exact affected versions and patch levels.

Remediation

Microsoft has released a security update for this vulnerability as part of the June 2026 Patch Tuesday. The only complete mitigation is to apply the official patch immediately. There are no known workarounds that fully address the missing authentication flaw.

For organizations that cannot patch immediately, consider:

  • Restricting network access to SharePoint servers to only trusted IP ranges
  • Enabling enhanced logging and monitoring for anomalous privilege escalation events
  • Reviewing user account activity for signs of compromise

Security Insight

This vulnerability represents a dangerous class of flaws in collaboration platforms - missing authentication for privileged operations. Unlike complex memory corruption bugs, this is a logic flaw that requires no specialized exploit development. When combined with the CISA KEV designation, it signals that threat actors are weaponizing these simple, high-impact vulnerabilities faster than ever. Organizations should treat SharePoint as a critical asset and prioritize patching cycles accordingly, especially when CISA adds a vulnerability to its Known Exploited Vulnerabilities catalog.

Related Content

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Related Advisories

Other Microsoft Sharepoint Server Vulnerabilities

View all Microsoft Sharepoint Server vulnerabilities →

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.