Your Collaboration Platform Just Became an Active Attack Surface. Here's What Business Leaders Need to Do Now.
CISA confirmed active exploitation of Microsoft SharePoint vulnerabilities on July 2, 2026. If your organization runs SharePoint Server on-premises, you're sitting on an active attack surface. Here's what it means and what to do.
On July 2, 2026, CISA updated its Known Exploited Vulnerabilities catalog to confirm that attackers are actively exploiting Microsoft SharePoint vulnerabilities in the wild. If your organization runs SharePoint Server on-premises — and tens of thousands of businesses do — this is not a "patch eventually" situation. It's a "patch now or assume you're compromised" situation.
Here's what happened, why it matters, and what you should be doing about it today.
What's Being Exploited
Two vulnerabilities are in play. The first is CVE-2026-32201, a spoofing and cross-site scripting flaw that requires no authentication — an attacker doesn't even need a login to begin exploiting it. It was patched in April 2026 and added to CISA's KEV catalog that same month. As of today, security researchers have identified more than 1,300 internet-exposed SharePoint on-premises servers that still haven't applied that patch.
The second is CVE-2026-45659, a remote code execution vulnerability rated CVSS 8.8. This one is particularly nasty: any authenticated user — meaning anyone with a basic SharePoint account, not just admins — can exploit it to execute arbitrary code on the underlying server. No admin privileges required. No user interaction needed. One standard employee credential and an attacker has server-level access.
Think about what that means. If a phishing email compromises one of your employees' credentials — something that happens every day across thousands of organizations — an attacker now has a clear path to execute code on your SharePoint server. From there, lateral movement to other systems is straightforward.
Why SharePoint Specifically?
SharePoint isn't just a file storage system. It's often a hub for sensitive business documents, contracts, HR records, project files, and internal communications. It's connected to Active Directory, Microsoft Teams, and often directly to your most sensitive line-of-business applications.
That connectivity is exactly why attackers target it. Compromising SharePoint doesn't just give them a server — it often gives them a pivoting point into the heart of your business.
And SharePoint has a history here. Over the past three years, it has accumulated a dozen serious CVEs. Nation-state hackers, ransomware operators, and initial access brokers all have a track record of targeting SharePoint specifically. This isn't a fringe concern — it's a demonstrated, repeated attack pattern.
The Real Problem: Patch Lag
Here's the uncomfortable truth: CVE-2026-32201 has been patchable since April. It's now July — nearly three months later — and 1,300+ servers are still exposed. That's not a technical problem. That's a process problem.
Organizations often delay patching for legitimate reasons: testing, change management windows, resource constraints, and the general chaos of IT operations. But attackers don't wait for your change management window. CISA's KEV catalog tracks confirmed active exploitation — meaning these vulnerabilities are being used against real targets right now, not theoretically.
The 2026 Verizon Data Breach Investigations Report documented that the median remediation time for critical vulnerabilities across enterprises is 44 days. That's the window attackers are counting on. For vulnerabilities in tools as central as SharePoint, 44 days of exposure is a very long time.
Is Your SharePoint On-Premises or Cloud?
This distinction matters enormously. If your organization runs Microsoft 365 with SharePoint Online, Microsoft manages patching on the backend — you're not exposed to these specific vulnerabilities in the same way. This is one of the strongest arguments for cloud migration: your patch lag becomes Microsoft's operational problem, not yours.
If you're running SharePoint Server on-premises — Server 2016, 2019, or the Subscription Edition — you are directly affected and need to act now. The patches are available; applying them is the only remediation.
If you're not sure which version you're running, that ambiguity is itself a problem. Knowing your technology inventory is foundational to managing risk.
What to Do Right Now
If you're a business leader, here are the three conversations you need to have with your IT team today:
First, ask whether CVE-2026-32201 (the April patch) has been applied. If the answer is "we're working on it" or "we haven't gotten to it," you have an active risk. That patch has been available for nearly three months and exploitation is confirmed.
Second, ask whether CVE-2026-45659 (the May patch) has been applied. Both patches should be treated as emergency deployments, not routine maintenance.
Third, ask whether your SharePoint server is directly internet-accessible. If it is, and the patches aren't applied, your exposure is significantly higher. Restricting access via a VPN or zero-trust network access layer while patching is in progress reduces immediate risk.
The Broader Lesson
Here's what this situation illustrates about modern cybersecurity: the tools you rely on most — your collaboration platforms, your productivity suites, your line-of-business applications — are exactly what attackers target most aggressively.
Security isn't just about protecting the perimeter. It's about continuously maintaining the security of the tools at the center of your operations. When CISA adds a vulnerability to its KEV catalog, it's not a theoretical warning. It's a confirmed signal that attacks are happening right now.
At TrustPoint Cyber, we work with organizations to build the processes that close these gaps before attackers find them — regular vulnerability scanning, prioritized patch management, and continuous monitoring that doesn't wait for a CISA alert to take action. If your team is stretched thin and patches are falling behind, that's a risk your organization is carrying silently.
The question isn't whether SharePoint will be targeted. It already is. The question is whether your organization will be in the 1,300+ that haven't patched — or in the group that already has.
Ready to strengthen your security?
TrustPoint Cyber delivers Zero Trust architecture, incident response, managed security, and vCISO services — built for your business.