Skip to content
Back to Blog
Cybersecurity

On-Premises SharePoint Server Vulnerabilities: What Business Owners Need to Know

Barry SinghJuly 17, 20267 min readUpdated July 17, 2026
Cybersecurity analyst reviewing server security alerts and access risk for on-premises SharePoint infrastructure

/ Key takeaways

  • What CISA Actually Warned About
  • Why the Timing Makes This Different From a Routine Patch Notice
  • Who This Actually Affects

On July 14, 2026, the Cybersecurity and Infrastructure Security Agency confirmed that attackers are actively exploiting three vulnerabilities in on-premises Microsoft SharePoint Server, the version installed on a company's own hardware rather than Microsoft 365's cloud-based SharePoint Online. One of the three flaws lets an attacker gain elevated access with no valid login at all. Attackers have also been reported stealing the server's security keys, which can let them back in even after the official patch is installed. If your business runs its own SharePoint server, patching is the first step, not the last one. You also need to check whether you were compromised before you patched.

This article explains what business owners need to know, who is affected, and what to do next. If this applies to your environment, it should be handled as a same-week security priority, not a routine maintenance item. It also connects directly to practical support areas such as Cybersecurity Services, Cloud Solutions, and Managed IT Services.

What CISA Actually Warned About

The alert covers three separate vulnerabilities affecting SharePoint Server 2016, SharePoint Server 2019, and SharePoint Subscription Edition, the on-premises versions businesses install and run on their own infrastructure. Two of the flaws had been known for a few weeks. The third was added to CISA's Known Exploited Vulnerabilities catalog on July 14, and it is the one causing the most concern because it allows an attacker to gain administrator-level access to a SharePoint server without an authentication step.

Microsoft released fixes as part of its July Patch Tuesday release. CISA's Known Exploited Vulnerabilities entry for CVE-2026-56164 lists a July 17, 2026 due date for covered federal systems, which is much tighter than a typical monthly patching rhythm and signals how seriously the agency is treating the risk.

Why the Timing Makes This Different From a Routine Patch Notice

Most monthly patch cycles involve dozens of fixes for flaws that are theoretical risks until someone builds a working exploit. This is not that. CISA only adds a vulnerability to its Known Exploited Vulnerabilities catalog once there is confirmed evidence that real attackers are using it.

There is also a second layer that business owners should not skip past. Attackers exploiting these flaws have reportedly been extracting IIS machine keys from compromised servers. Those keys are what a SharePoint server uses to validate legitimate requests. If an attacker already has a copy of them, installing the patch closes the door they walked through, but it does not take away a key they already copied. Without rotating those keys and reviewing logs for signs of prior access, a business can patch the vulnerability and still have an active intruder.

Who This Actually Affects

This specifically affects businesses running SharePoint on their own servers, whether that is onsite hardware or a self-managed virtual machine. Microsoft 365 and SharePoint Online, the cloud-hosted version most newer businesses use, are not affected by these particular flaws because Microsoft manages the underlying platform and patching on that side.

On-premises SharePoint is still common in industries where document management systems were set up years ago and never migrated: law firms with case management built around it, accounting practices with client file archives going back a decade, real estate brokerages managing contracts and disclosures, and insurance agencies with policy documentation. These are exactly the businesses where a server was set up once, worked fine for years, and never had anyone formally assigned to watch it for this kind of alert.

Patching Is the Start, Not the Finish

If your business runs on-premises SharePoint, use this realistic response sequence:

  1. Apply the July security updates immediately. This closes the vulnerabilities themselves and should happen before lower-priority maintenance work.
  2. Rotate the IIS machine keys on affected servers rather than assuming the patch alone resets anything an attacker may have copied.
  3. Review server logs going back to early July for unusual authentication activity, unexpected admin actions, or file access patterns that do not match normal use.
  4. Check for unfamiliar files or scheduled tasks that could indicate malware, persistence, or post-exploitation activity was already planted.
  5. Confirm whether your server is internet facing. Exposure to the open internet significantly raises risk compared with a server only reachable from an internal network.

Skipping straight to step one and assuming the job is done is the most common mistake we expect to see from this incident, and it is understandable. Most businesses do not have a documented process for confirmed active exploitation versus a routine update. They have a person who applies updates when they get around to it.

Cloud vs On-Premises: The Question Worth Asking

This incident is a reasonable moment to ask a bigger question rather than just patching and moving on: why is this server still on-premises at all? Moving to SharePoint Online removes this specific class of risk because Microsoft handles the underlying server security. It is not the right call for every business, and some have genuine compliance or customization reasons to stay on-premises, but for many firms the honest answer is that migration got deprioritized, not that it was ruled out for a good reason.

If your business does need to remain on-premises, the practical substitute for Microsoft's cloud-side patching is a monitoring and patch management process that treats an alert like this one as same-day priority, not a line item for next month's maintenance window.

Direct answer

If you run SharePoint Server 2016, SharePoint Server 2019, or SharePoint Subscription Edition on your own infrastructure, patch immediately, rotate IIS machine keys, review logs for signs of compromise, and confirm whether the server is exposed to the internet. SharePoint Online is not affected by these specific on-premises SharePoint Server flaws.

Need help checking on-premises SharePoint exposure?

BPro Technologies can help review patch status, internet exposure, server logs, key-rotation requirements, and whether a SharePoint Online migration should be part of the next step.

Get Free IT Assessment

Frequently Asked Questions

Does this vulnerability affect Microsoft 365 or SharePoint Online?

No. These three vulnerabilities are specific to on-premises SharePoint Server 2016, SharePoint Server 2019, and SharePoint Subscription Edition. Microsoft 365 and SharePoint Online are managed and patched directly by Microsoft and are not affected by these particular flaws.

How do I know if my SharePoint server was already compromised?

Check server logs for unusual authentication events, unexpected administrative actions, and unfamiliar scheduled tasks or files created since early July. If your team does not have the tooling or experience to do this confidently, bring in outside help rather than assuming a clean patch means a clean system.

What is an IIS machine key and why does it matter here?

It is a cryptographic key SharePoint's underlying web server uses to validate requests. If an attacker copies it before a patch is applied, they may continue accessing the system even after the vulnerability itself is fixed. Rotating the keys closes that gap.

Should we migrate off on-premises SharePoint entirely?

Not necessarily right away, but this is a fair trigger to have that conversation. Moving to SharePoint Online removes the ongoing burden of patching and securing the server yourself. For businesses with a genuine reason to stay on-premises, the alternative is investing in monitoring and patch response that can act within hours.

What should a 50 to 300 person business do this week if they run on-prem SharePoint?

Patch immediately, rotate the security keys, and review recent server activity for anything unusual. If nobody on the team can confidently say who owns that process today, that is the actual problem this incident has surfaced.

/ Choose the next step

Move from article guidance to a practical review path.

Pick the route that best matches the issue behind the article so the next conversation starts with the right scope.

Cloud path

Review the cloud or migration scope

Use the free assessment when the priority is Microsoft 365, Google Workspace, Azure, SharePoint, Intune, backup readiness, or a migration plan that needs technical review.

Use this when you want a clearer starting point before work is scoped.

Service path

See the cloud services delivery model

Review how BPro Technologies handles Microsoft 365, cloud governance, migration planning, identity settings, backup, and operating handover.

Use this when you want a clearer starting point before work is scoped.

Project path

Share a migration or tenant requirement

If the move already has business pressure behind it, send the current tools, users, timeline, and dependencies so the team can review it properly.

Use this when you want a clearer starting point before work is scoped.

Cookie Preferences

We use cookies to enhance your browsing experience and analyze site traffic. By clicking “Accept All”, you consent to our use of cookies.