CVE-2026-56164: Unauthenticated SharePoint Server RCE Actively Exploited in the Wild (KEV)
Overview
CVE-2026-56164 is a Missing Authentication for Critical Function vulnerability (CWE-306) in Microsoft SharePoint Server. The root cause is a failure to enforce authentication checks on internal SharePoint API/service endpoints, allowing an unauthenticated attacker to invoke sensitive server-side functionality directly via crafted HTTP requests. Depending on the endpoint reached, this can lead to remote code execution, data exfiltration, or webshell deployment — the pattern is consistent with prior SharePoint "ToolShell"-style campaigns.
Affected Software
The affected vendor is Microsoft, and the affected product is SharePoint Server. Specific affected version ranges have not been published in this record; organizations running on-premises SharePoint Server should treat this as applicable pending vendor guidance.
Exploitation Status
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming in-the-wild exploitation as of the disclosure date (2026-07-14). This is not theoretical — defenders should prioritize detection and response for this vulnerability immediately, as attackers are already leveraging it rather than it being a future risk.
How Our Detection Catches It
Our detection focuses on three behavioral indicators tied to this attack chain:
- Anonymous or unauthenticated access to sensitive SharePoint endpoints that should require authentication.
- Unusual child processes spawned from IIS worker processes (
w3wp.exe), which typically indicate server-side code execution following a successful exploit. - Webshell-drop indicators occurring shortly after unauthenticated requests, consistent with post-exploitation persistence seen in prior SharePoint campaigns.
This logic is shipped across our full SIEM coverage matrix, including Microsoft Sentinel (KQL), Splunk (SPL), Elastic (EQL), IBM QRadar (AQL), Sumo Logic, Google Chronicle (YARA-L), and CrowdStrike (CQL), so teams can deploy consistent detection logic regardless of their primary SIEM.
Full Detection Details
For the complete detection logic, query implementations across all supported platforms, and update history, see the CVE-2026-56164 detection page.