Editor’s Note: Four actively exploited SharePoint Server vulnerabilities, a record 622-CVE Patch Tuesday and a federal remediation deadline landing today converge on one uncomfortable fact: attackers who steal IIS machine keys keep their access after the patch is applied. CISA’s July 14 hardening alert says so plainly, and the agency’s guidance to rotate keys, hunt artifacts and pull servers off the open internet reads as a checklist for organizations that assumed patching closed the book.

For cybersecurity, data privacy, regulatory compliance and eDiscovery professionals, the story lands where infrastructure meets obligation. On-premises SharePoint holds matter files, deal rooms and records under litigation hold at many legal organizations, so a compromise that yields machine keys can trigger breach-notification analysis, possible client or insurer notice, and preservation decisions alongside the technical response. The end of extended support for SharePoint 2016 and 2019, which arrived the same day as the fixes, adds a migration clock to the incident clock.

Watch for the August patch cycle, where Microsoft is expected to close a related SharePoint flaw that chains to remote code execution, and for whether regulators begin citing KEV deadlines as evidence of what reasonable programs knew and when.


Content Assessment: SharePoint attackers are stealing the keys, and patching alone will not evict them

Information - 93%
Insight - 93%
Relevance - 92%
Objectivity - 93%
Authority - 90%

92%

Excellent

A short percentage-based assessment of the qualitative benefit expressed as a percentage of positive reception of the recent article from ComplexDiscovery OÜ titled, "SharePoint attackers are stealing the keys, and patching alone will not evict them."


Industry News – Cybersecurity Beat

SharePoint attackers are stealing the keys, and patching alone will not evict them

ComplexDiscovery Staff

Federal agencies face a deadline today to fix an actively exploited SharePoint Server flaw, and a second, harsher problem shadows every organization running the platform: patching does not evict the attackers already inside. The Cybersecurity and Infrastructure Security Agency (CISA) said this week that exploitation involving four on-premises SharePoint vulnerabilities has included theft of the cryptographic machine keys that let intruders return long after the holes are closed.

The newest and highest-scoring of the four, CVE-2026-58644, carries a 9.8 score on the Common Vulnerability Scoring System (CVSS) and allows remote code execution through deserialization of untrusted data. Public vulnerability records conflict over the required access: the National Vulnerability Database displays a Microsoft-supplied vector indicating no privileges are required, while Microsoft’s narrative advisory says an attacker must be authenticated as at least a Site Owner. Microsoft flagged the flaw as exploited in the wild July 15, and CISA added it to the Known Exploited Vulnerabilities (KEV) catalog July 16, starting a three-day remediation clock for federal civilian agencies. An earlier SharePoint entry, CVE-2026-56164, hit the catalog July 14, which makes its federal deadline July 17, today.



Four exploited flaws and a compressed clock

CISA’s hardening alert, issued July 14 and updated July 16, confirms active exploitation of four SharePoint Server vulnerabilities: CVE-2026-32201, a spoofing flaw cataloged in April; CVE-2026-45659, a deserialization bug enabling remote code execution that joined the KEV catalog July 1; CVE-2026-56164, an elevation-of-privilege flaw exploited as a zero-day before Microsoft’s July 14 fixes; and CVE-2026-58644. The agency said the flaws affect the three on-premises editions covered by Microsoft’s July updates: SharePoint Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. The National Vulnerability Database lists only on-premises server editions as affected products; SharePoint Online in Microsoft 365 does not appear among them.

Fixed builds exist for each affected version, and organizations can compare farm build numbers against Microsoft’s July release to confirm the patch actually landed.

The SharePoint fixes arrived inside Microsoft’s largest Patch Tuesday on record. The company published patches for 622 vulnerabilities July 14, topping a record set only a month earlier. Rapid7 and The Hacker News counted two flaws already under attack at release, CVE-2026-56164 and an Active Directory Federation Services elevation-of-privilege bug; CVE-2026-58644 joined the exploited list a day later when Microsoft revised its advisory. Josh Taylor, lead cybersecurity analyst at Fortra, told Dark Reading that July’s release includes 26 vulnerabilities scoring above 9.0, 13 of them at 9.8.

Raw scores can mislead in both directions, though. Microsoft assigned CVE-2026-56164 a modest 5.3 rating, and NIST’s independent assessment scores the same flaw 9.8, yet it was the one exploited before patches existed. CVSS “is a good foundation, but it’s just a number,” said Satnam Narang, senior staff research engineer at Tenable, in Patch Tuesday commentary published by Dark Reading, adding that not every 9.8 is urgent and not every lower-scoring flaw can be safely ignored. “Context matters,” Narang said.

Why stolen machine keys outlive the patch

The detail that separates this campaign from routine patch-and-move-on hygiene is what the attackers take on the way in. CISA said exploitation has involved establishing remote code execution and stealing Internet Information Services (IIS) machine keys, the cryptographic material a SharePoint server uses to validate and, where configured, encrypt ASP.NET ViewState data. An attacker holding those keys can forge trusted requests and re-enter a fully patched server, using deserialization techniques to maintain persistence and deploy malware.

That is why CISA’s guidance goes well beyond installing the update. The agency told organizations to apply and verify the updates, hunt for and remediate intrusion artifacts before rotating IIS machine keys, enable Antimalware Scan Interface (AMSI) integration for every SharePoint web application, keep servers off the open internet or behind a Layer 7 reverse proxy, and block external access to SharePoint Central Administration. Chris Boehm, field chief technology officer at Zero Networks, a network segmentation vendor, told CSO Online that patching alone may not fully remove attacker persistence and argued for segmentation alongside patch management.

The playbook echoes last summer’s ToolShell campaign, in which attackers chained SharePoint flaws, including CVE-2025-53770, to steal machine keys and put thousands of internet-exposed servers at risk, and the 2023 Storm-0558 incident, in which a stolen Microsoft signing key let a state-linked actor forge cloud authentication tokens. In each case, the compromise outlived the fix until the keys themselves were replaced.

A three-day clock set by a new federal directive

The compressed deadlines flow from Binding Operational Directive 26-04, CISA’s risk-based framework for federal civilian executive branch agencies. The directive considers internet exposure, known exploitation, exploit automatability and technical impact, with the highest-risk combinations receiving deadlines as short as three days and accompanying forensic-triage requirements. It binds only federal civilian agencies and creates no legal obligation for private organizations, though KEV notices may later inform assessments of what an organization knew and whether its response was reasonable.

The July 16 KEV batch that captured CVE-2026-58644 also added two exploited Fortinet FortiSandbox flaws, with federal remediation due July 19. A day earlier, CISA cataloged an exploited Oracle E-Business Suite vulnerability, CVE-2026-46817, giving agencies until July 18.

Support ended the same day the patches shipped

Organizations still running SharePoint Server 2016 or 2019 face an uncomfortable coincidence. Extended support for both versions ended July 14, 2026, according to Microsoft’s product lifecycle documentation, the same day the July fixes shipped. Unless Microsoft announces an exception, the July updates are the final scheduled security fixes for those versions. Organizations seeking continued Microsoft security support must migrate to Subscription Edition, move to SharePoint Online or replace the affected environment.

Information governance teams should treat the support-driven migration as a records event, not just an infrastructure project. Moving a decade of matter content off an aging farm is the moment to enforce retention schedules, map what the platform actually holds and dispose of legacy data defensibly before it travels to a new home under threat of exploitation.

The preservation questions the patch cycle does not answer

For many law firms, corporate legal departments and legal service providers, the exposure is structural. On-premises SharePoint has long served as a document backbone in legal organizations, holding matter files, deal rooms, investigation workspaces and records subject to litigation holds. A compromise that yields machine keys is not an incident on one server; it is potential access to everything the farm serves, and that reframes the legal work that follows.

Incident-response scoping should assess whether the intruder could access content across the compromised farm rather than treating the event as confined to one server. The findings may affect notification analysis under applicable state laws, contractual commitments and other requirements. Outside counsel guidelines and cyber insurance policies may impose prompt notice requirements, often triggered by discovery or awareness as defined in the applicable agreement or policy rather than by completion of remediation; the precise trigger and deadline should be confirmed against the governing language. If litigation, an enforcement inquiry or another proceeding is reasonably anticipated, counsel should consider preservation measures before rebuilding the farm. Relevant material may include IIS logs, ViewState error records, patch and key-rotation timestamps and forensic images of affected servers. Discovery teams should also document the remediation sequence itself, because the difference between patched and remediated, the gap CISA just put on the public record, is a distinction opposing counsel and regulators may examine.

Practical first moves are unglamorous: inventory every on-premises farm, verify build numbers against the fixed versions, rotate machine keys after artifact hunts rather than before, and brief general counsel before the first client asks. Organizations that consume SharePoint through managed hosting or legal service providers should request written attestations covering patch status, artifact hunts and key rotation, because outsourcing the infrastructure may not eliminate the customer’s contractual notification or security obligations. As of July 16, the KEV catalog gives federal agencies days, not weeks.

When the intruder keeps a copy of the keys, remediation is a legal question as much as a technical one. Whose job is it in your organization to prove the difference between patched and clean?



News sources



Assisted by GAI and LLM technologies

Additional reading

Source: ComplexDiscovery OÜ

 

ComplexDiscovery’s mission is to enable clarity for complex decisions by providing independent, data‑driven reporting, research, and commentary that make digital risk, legal technology, and regulatory change more legible for practitioners, policymakers, and business leaders.

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know, and we will make our response to you a priority.

ComplexDiscovery OÜ is an independent digital publication and research organization based in Tallinn, Estonia. ComplexDiscovery covers cybersecurity, data privacy, regulatory compliance, and eDiscovery, with reporting that connects legal and business technology developments—including high-growth startup trends—to international business, policy, and global security dynamics. Focusing on technology and risk issues shaped by cross-border regulation and geopolitical complexity, ComplexDiscovery delivers editorial coverage, original analysis, and curated briefings for a global audience of legal, compliance, security, and technology professionals. Learn more at ComplexDiscovery.com.

 

Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT, Claude, Gemini, Grammarly, Midjourney, and Perplexity, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).