Editor’s Note: Four actively exploited SharePoint Server vulnerabilities, a record 622-CVE Patch Tuesday and a federal remediation deadline landing today converge on one uncomfortable fact: attackers who steal IIS machine keys keep their access after the patch is applied. CISA’s July 14 hardening alert says so plainly, and the agency’s guidance to rotate keys, hunt artifacts and pull servers off the open internet reads as a checklist for organizations that assumed patching closed the book.
For cybersecurity, data privacy, regulatory compliance and eDiscovery professionals, the story lands where infrastructure meets obligation. On-premises SharePoint holds matter files, deal rooms and records under litigation hold at many legal organizations, so a compromise that yields machine keys can trigger breach-notification analysis, possible client or insurer notice, and preservation decisions alongside the technical response. The end of extended support for SharePoint 2016 and 2019, which arrived the same day as the fixes, adds a migration clock to the incident clock.
Watch for the August patch cycle, where Microsoft is expected to close a related SharePoint flaw that chains to remote code execution, and for whether regulators begin citing KEV deadlines as evidence of what reasonable programs knew and when.
Content Assessment: SharePoint attackers are stealing the keys, and patching alone will not evict them
Information - 93%
Insight - 93%
Relevance - 92%
Objectivity - 93%
Authority - 90%
92%
Excellent
A short percentage-based assessment of the qualitative benefit expressed as a percentage of positive reception of the recent article from ComplexDiscovery OÜ titled, "SharePoint attackers are stealing the keys, and patching alone will not evict them."
Industry News – Cybersecurity Beat
SharePoint attackers are stealing the keys, and patching alone will not evict them
ComplexDiscovery Staff
Federal agencies face a deadline today to fix an actively exploited SharePoint Server flaw, and a second, harsher problem shadows every organization running the platform: patching does not evict the attackers already inside. The Cybersecurity and Infrastructure Security Agency (CISA) said this week that exploitation involving four on-premises SharePoint vulnerabilities has included theft of the cryptographic machine keys that let intruders return long after the holes are closed.
The newest and highest-scoring of the four, CVE-2026-58644, carries a 9.8 score on the Common Vulnerability Scoring System (CVSS) and allows remote code execution through deserialization of untrusted data. Public vulnerability records conflict over the required access: the National Vulnerability Database displays a Microsoft-supplied vector indicating no privileges are required, while Microsoft’s narrative advisory says an attacker must be authenticated as at least a Site Owner. Microsoft flagged the flaw as exploited in the wild July 15, and CISA added it to the Known Exploited Vulnerabilities (KEV) catalog July 16, starting a three-day remediation clock for federal civilian agencies. An earlier SharePoint entry, CVE-2026-56164, hit the catalog July 14, which makes its federal deadline July 17, today.
Four exploited flaws and a compressed clock
CISA’s hardening alert, issued July 14 and updated July 16, confirms active exploitation of four SharePoint Server vulnerabilities: CVE-2026-32201, a spoofing flaw cataloged in April; CVE-2026-45659, a deserialization bug enabling remote code execution that joined the KEV catalog July 1; CVE-2026-56164, an elevation-of-privilege flaw exploited as a zero-day before Microsoft’s July 14 fixes; and CVE-2026-58644. The agency said the flaws affect the three on-premises editions covered by Microsoft’s July updates: SharePoint Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. The National Vulnerability Database lists only on-premises server editions as affected products; SharePoint Online in Microsoft 365 does not appear among them.
Fixed builds exist for each affected version, and organizations can compare farm build numbers against Microsoft’s July release to confirm the patch actually landed.
The SharePoint fixes arrived inside Microsoft’s largest Patch Tuesday on record. The company published patches for 622 vulnerabilities July 14, topping a record set only a month earlier. Rapid7 and The Hacker News counted two flaws already under attack at release, CVE-2026-56164 and an Active Directory Federation Services elevation-of-privilege bug; CVE-2026-58644 joined the exploited list a day later when Microsoft revised its advisory. Josh Taylor, lead cybersecurity analyst at Fortra, told Dark Reading that July’s release includes 26 vulnerabilities scoring above 9.0, 13 of them at 9.8.
Raw scores can mislead in both directions, though. Microsoft assigned CVE-2026-56164 a modest 5.3 rating, and NIST’s independent assessment scores the same flaw 9.8, yet it was the one exploited before patches existed. CVSS “is a good foundation, but it’s just a number,” said Satnam Narang, senior staff research engineer at Tenable, in Patch Tuesday commentary published by Dark Reading, adding that not every 9.8 is urgent and not every lower-scoring flaw can be safely ignored. “Context matters,” Narang said.
Why stolen machine keys outlive the patch
The detail that separates this campaign from routine patch-and-move-on hygiene is what the attackers take on the way in. CISA said exploitation has involved establishing remote code execution and stealing Internet Information Services (IIS) machine keys, the cryptographic material a SharePoint server uses to validate and, where configured, encrypt ASP.NET ViewState data. An attacker holding those keys can forge trusted requests and re-enter a fully patched server, using deserialization techniques to maintain persistence and deploy malware.
That is why CISA’s guidance goes well beyond installing the update. The agency told organizations to apply and verify the updates, hunt for and remediate intrusion artifacts before rotating IIS machine keys, enable Antimalware Scan Interface (AMSI) integration for every SharePoint web application, keep servers off the open internet or behind a Layer 7 reverse proxy, and block external access to SharePoint Central Administration. Chris Boehm, field chief technology officer at Zero Networks, a network segmentation vendor, told CSO Online that patching alone may not fully remove attacker persistence and argued for segmentation alongside patch management.
The playbook echoes last summer’s ToolShell campaign, in which attackers chained SharePoint flaws, including CVE-2025-53770, to steal machine keys and put thousands of internet-exposed servers at risk, and the 2023 Storm-0558 incident, in which a stolen Microsoft signing key let a state-linked actor forge cloud authentication tokens. In each case, the compromise outlived the fix until the keys themselves were replaced.
A three-day clock set by a new federal directive
The compressed deadlines flow from Binding Operational Directive 26-04, CISA’s risk-based framework for federal civilian executive branch agencies. The directive considers internet exposure, known exploitation, exploit automatability and technical impact, with the highest-risk combinations receiving deadlines as short as three days and accompanying forensic-triage requirements. It binds only federal civilian agencies and creates no legal obligation for private organizations, though KEV notices may later inform assessments of what an organization knew and whether its response was reasonable.
The July 16 KEV batch that captured CVE-2026-58644 also added two exploited Fortinet FortiSandbox flaws, with federal remediation due July 19. A day earlier, CISA cataloged an exploited Oracle E-Business Suite vulnerability, CVE-2026-46817, giving agencies until July 18.
Support ended the same day the patches shipped
Organizations still running SharePoint Server 2016 or 2019 face an uncomfortable coincidence. Extended support for both versions ended July 14, 2026, according to Microsoft’s product lifecycle documentation, the same day the July fixes shipped. Unless Microsoft announces an exception, the July updates are the final scheduled security fixes for those versions. Organizations seeking continued Microsoft security support must migrate to Subscription Edition, move to SharePoint Online or replace the affected environment.
Information governance teams should treat the support-driven migration as a records event, not just an infrastructure project. Moving a decade of matter content off an aging farm is the moment to enforce retention schedules, map what the platform actually holds and dispose of legacy data defensibly before it travels to a new home under threat of exploitation.
The preservation questions the patch cycle does not answer
For many law firms, corporate legal departments and legal service providers, the exposure is structural. On-premises SharePoint has long served as a document backbone in legal organizations, holding matter files, deal rooms, investigation workspaces and records subject to litigation holds. A compromise that yields machine keys is not an incident on one server; it is potential access to everything the farm serves, and that reframes the legal work that follows.
Incident-response scoping should assess whether the intruder could access content across the compromised farm rather than treating the event as confined to one server. The findings may affect notification analysis under applicable state laws, contractual commitments and other requirements. Outside counsel guidelines and cyber insurance policies may impose prompt notice requirements, often triggered by discovery or awareness as defined in the applicable agreement or policy rather than by completion of remediation; the precise trigger and deadline should be confirmed against the governing language. If litigation, an enforcement inquiry or another proceeding is reasonably anticipated, counsel should consider preservation measures before rebuilding the farm. Relevant material may include IIS logs, ViewState error records, patch and key-rotation timestamps and forensic images of affected servers. Discovery teams should also document the remediation sequence itself, because the difference between patched and remediated, the gap CISA just put on the public record, is a distinction opposing counsel and regulators may examine.
Practical first moves are unglamorous: inventory every on-premises farm, verify build numbers against the fixed versions, rotate machine keys after artifact hunts rather than before, and brief general counsel before the first client asks. Organizations that consume SharePoint through managed hosting or legal service providers should request written attestations covering patch status, artifact hunts and key rotation, because outsourcing the infrastructure may not eliminate the customer’s contractual notification or security obligations. As of July 16, the KEV catalog gives federal agencies days, not weeks.
When the intruder keeps a copy of the keys, remediation is a legal question as much as a technical one. Whose job is it in your organization to prove the difference between patched and clean?

News sources
- CISA Urges SharePoint Hardening After New Exploitations (CISA)
- CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA)
- CISA Adds Two Known Exploited Vulnerabilities to Catalog (CISA)
- NVD Entry for CVE-2026-58644 (National Vulnerability Database)
- BOD 26-04: Prioritizing Security Updates Based on Risk (CISA)
- BOD 26-04: Implementation Guidance for Prioritizing Security Updates Based on Risk (CISA)
- NVD Entry for CVE-2026-56164 (National Vulnerability Database)
- Fresh SharePoint Vulnerability Exploited Soon After Disclosure (SecurityWeek)
- CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV (The Hacker News)
- CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities (SecurityWeek)
- CISA Warns Admins to Patch Actively Exploited SharePoint Flaws (BleepingComputer)
- CISA Warns That Multiple Vulnerabilities in SharePoint Are Under Exploitation (Cybersecurity Dive)
- CISA Urges Immediate SharePoint Hardening as Exploits Mount (CSO Online)
- Patch Tuesday, July 2026 (Rapid7)
- Records Are Made to Be Broken: Patch Tuesday Raises Triage Stakes (Dark Reading)
- Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack (The Hacker News)
- Microsoft July 2026 Patch Tuesday Addresses Exploited SharePoint Vulnerabilities (Field Effect)
- SharePoint Server 2019 Product Lifecycle (Microsoft Learn)
- SharePoint Server 2016 Product Lifecycle (Microsoft Learn)
- Improved ASP.NET View State Security and Key Management in SharePoint Server (Microsoft Learn)
Assisted by GAI and LLM technologies
Additional reading
- UK and EU impose first simultaneous cyber sanctions as Poland attack is attributed to the FSB
- The negotiator was the leak: insider who betrayed ransomware victims gets 70 months
- Why a single Signal recovery key is a preservation problem
- Europe’s critical sectors are maturing, but seven still sit in ENISA’s risk zone
- When the worm targets the assistant: Miasma turns AI coding agents into the trigger
- Glasswing widens: Anthropic puts Mythos inside power, water and hospital operators across more than 15 countries
- Canvas breach moves from disclosure to demand as ShinyHunters sets May 12 deadline
- CISA’s CI Fortify rewrites the disconnection playbook for critical infrastructure
- A 48-month federal benchmark resets the incident-response insider question
- Data collection in occupied territory: A closer read of Cyber Law Toolkit scenario 35
- Cyber Law Toolkit tests surveillance and data collection under occupation
Source: ComplexDiscovery OÜ

ComplexDiscovery’s mission is to enable clarity for complex decisions by providing independent, data‑driven reporting, research, and commentary that make digital risk, legal technology, and regulatory change more legible for practitioners, policymakers, and business leaders.



























