← Blog · · df00tech

CVE-2026-56164: Unauthenticated SharePoint Server RCE Actively Exploited in the Wild (KEV)

vuln-intel Microsoft CVE-2026-56164

Overview

CVE-2026-56164 is a Missing Authentication for Critical Function vulnerability (CWE-306) in Microsoft SharePoint Server. The root cause is a failure to enforce authentication checks on internal SharePoint API/service endpoints, allowing an unauthenticated attacker to invoke sensitive server-side functionality directly via crafted HTTP requests. Depending on the endpoint reached, this can lead to remote code execution, data exfiltration, or webshell deployment — the pattern is consistent with prior SharePoint "ToolShell"-style campaigns.

Affected Software

The affected vendor is Microsoft, and the affected product is SharePoint Server. Specific affected version ranges have not been published in this record; organizations running on-premises SharePoint Server should treat this as applicable pending vendor guidance.

Exploitation Status

This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming in-the-wild exploitation as of the disclosure date (2026-07-14). This is not theoretical — defenders should prioritize detection and response for this vulnerability immediately, as attackers are already leveraging it rather than it being a future risk.

How Our Detection Catches It

Our detection focuses on three behavioral indicators tied to this attack chain:

  • Anonymous or unauthenticated access to sensitive SharePoint endpoints that should require authentication.
  • Unusual child processes spawned from IIS worker processes (w3wp.exe), which typically indicate server-side code execution following a successful exploit.
  • Webshell-drop indicators occurring shortly after unauthenticated requests, consistent with post-exploitation persistence seen in prior SharePoint campaigns.

This logic is shipped across our full SIEM coverage matrix, including Microsoft Sentinel (KQL), Splunk (SPL), Elastic (EQL), IBM QRadar (AQL), Sumo Logic, Google Chronicle (YARA-L), and CrowdStrike (CQL), so teams can deploy consistent detection logic regardless of their primary SIEM.

Full Detection Details

For the complete detection logic, query implementations across all supported platforms, and update history, see the CVE-2026-56164 detection page.

Get new detections in your inbox

New ATT&CK coverage plus CISA KEV / CVE detection rules, roughly weekly. No spam, unsubscribe anytime.