[KEV] CVE-2026-56164 -- CVSS 0.0 Vulnerability Briefing
[KEV] CVE-2026-56164 | CVSS 0.0 (Low) | Exploit: Operational
What Is It
CVE-2026-56164 is a missing authentication for a critical function vulnerability in Microsoft SharePoint Server that allows an unauthenticated, network-adjacent attacker to elevate privileges on affected systems.
Technical Detail
The flaw exists in a critical SharePoint Server function that fails to enforce authentication checks before granting access, enabling an unauthorized attacker to interact with privileged functionality over the network without valid credentials. By sending crafted requests to the exposed endpoint, an attacker can escalate their privileges within the SharePoint environment, potentially gaining administrative-level control over the server or its hosted content. The specific internal component affected and the precise request structure required to trigger the vulnerability have not been publicly disclosed in full technical detail at this time.
Exploitation Status
CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on July 14, 2026. The exploit maturity is rated Operational, meaning a functional exploit capable of reliable, real-world use exists and is being actively leveraged against targets. This is not a theoretical or proof-of-concept risk; exploitation is occurring now and organizations running unpatched SharePoint Server instances should treat this as an immediate priority.
Who Is Targeting This
No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this CVE in available intelligence sources. This assessment may change as incident data accumulates given the active exploitation status.
What To Do
Under CISA's Binding Operational Directive 22-01, federal civilian executive branch agencies are required to remediate this vulnerability by the deadline associated with the July 14, 2026 KEV listing; all organizations should treat this timeline as a baseline. Apply the relevant Microsoft security update for SharePoint Server immediately and prioritize internet-facing or externally accessible SharePoint deployments. If patching cannot be completed immediately, consider restricting network access to SharePoint Server endpoints at the perimeter and reviewing authentication logs for anomalous privilege escalation activity or unexpected access to administrative functions. Monitor Microsoft's official security guidance for any additional workarounds or indicators of compromise as they become available.