[KEV] CVE-2026-56164 -- CVSS 0.0 Vulnerability Briefing
[KEV] CVE-2026-56164 | CVSS 0.0 (Low) | Exploit: Operational
What Is It
CVE-2026-56164 is a missing authentication for a critical function vulnerability in Microsoft SharePoint Server that allows unauthenticated network-based attackers to elevate privileges on affected systems.
Technical Detail
The flaw exists in a critical function within SharePoint Server that fails to enforce authentication checks before granting access, enabling a remote, unauthenticated attacker to interact with privileged functionality over the network. By sending crafted requests to the exposed endpoint, an attacker can escalate privileges without requiring any valid credentials or prior foothold on the system. Successful exploitation could allow an attacker to gain elevated access within the SharePoint environment, potentially enabling further lateral movement, data access, or administrative control over the platform.
Exploitation Status
CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on July 14, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliably achieving the described impact is in active use. This is not a proof-of-concept situation; exploitation is occurring against real targets and the barrier to weaponization is low for capable threat actors.
Who Is Targeting This
No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability as of the date of this briefing. Attribution analysis is ongoing and this section will be updated as credible intelligence becomes available.
What To Do
Apply the relevant Microsoft security update for SharePoint Server immediately. CISA's binding operational directive requires federal civilian executive branch agencies to remediate this vulnerability by the deadline associated with the July 14, 2026 KEV listing, which is typically 21 days from the date of addition unless otherwise specified. All organizations running SharePoint Server should treat this as a critical priority patch given confirmed in-the-wild exploitation and the unauthenticated attack vector. If patching cannot be completed immediately, consider restricting network access to SharePoint Server endpoints at the perimeter, disabling or isolating externally facing SharePoint instances, and monitoring authentication logs for anomalous privilege escalation events or unexpected access to administrative functions. Review SharePoint audit logs for signs of unauthorized access predating patch deployment.