CVE-2026-56164: Microsoft SharePoint Server Authentication Bypass — How to Find Vulnerable Instances on Your Network
Microsoft SharePoint Server contains a missing authentication vulnerability that lets unauthenticated attackers escalate privileges over the network. Actively exploited in the wild and added to CISA's Known Exploited Vulnerabilities catalog on July 14, 2026 with a 3-day remediation deadline. NVD scores this 9.8 Critical while Microsoft rates it Moderate — a significant scoring disagreement. Patches available for SharePoint 2016, 2019, and Subscription Edition, but July 14 is the final security update for SharePoint 2016 and 2019.
The Vulnerability
CVE-2026-56164 (CWE-306: Missing Authentication for Critical Function) is a privilege escalation vulnerability in Microsoft SharePoint Server. A remote unauthenticated attacker can access a critical server-side function that lacks authentication enforcement, enabling privilege escalation without credentials or user interaction.
- CVSS: 9.8 Critical (NVD v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) — Microsoft rates 5.3 Moderate (I:L only) — MSRC Advisory
- CWE: CWE-306 (Missing Authentication for Critical Function)
- AFFECTED: SharePoint Server Subscription Edition (below 16.0.19725.20434), SharePoint Server 2019 (below 16.0.10417.20175), SharePoint Enterprise Server 2016 (below 16.0.5561.1001)
- FIXED: KB5002882 (Subscription Edition), KB5002883/KB5002885 (2019), KB5002891/KB5002892 (2016) — released July 14, 2026
- EXPLOITED: Active exploitation confirmed — CISA KEV listed July 14, 2026 · deadline July 17, 2026
- RELATED: CVE-2026-50522 (RCE, CVSS 9.8), CVE-2026-58644 (RCE, CVSS 9.8), CVE-2026-55040 (security feature bypass, CVSS 9.1) — same July 2026 patch batch
The 3-day CISA KEV deadline (July 17, 2026) signals high confidence in active exploitation. This is the third SharePoint Server vulnerability added to CISA KEV in recent months — CVE-2026-32201 and CVE-2026-45659 were also listed. Organizations that haven't patched those earlier vulnerabilities face compounding risk across multiple attack vectors.
The Scoring Disagreement
NVD independently scored this 9.8 Critical (all three CIA impacts High), while Microsoft rates it only 5.3 Moderate (integrity-Low, no confidentiality or availability impact). This gap is significant — automated scanners using Microsoft's CNA score may deprioritize a vulnerability that is actively exploited as a zero-day with an aggressive CISA deadline. When scores diverge this dramatically, prioritize the CISA KEV status and confirmed exploitation over any single CVSS score.
SharePoint 2016 and 2019 End-of-Life
July 14, 2026 marks the end of extended support for SharePoint Server 2016 and 2019. This is the final security update these versions will receive — no paid extended security updates are available (unlike Windows Server or SQL Server). Organizations still running SharePoint 2016 or 2019 need to plan migration to Subscription Edition or SharePoint Online, as future vulnerabilities will go unpatched.
Only On-Premises Deployments Affected
SharePoint Online (part of Microsoft 365) is not affected. Only on-premises SharePoint Server deployments are vulnerable. However, hybrid deployments that maintain on-prem servers alongside SharePoint Online still need to patch the on-premises component.
Investigation Workflow
The vulnerability requires no authentication and is exploitable over the network, making any reachable SharePoint Server instance a potential target. Here's how to locate and assess every SharePoint Server instance on your network.
1. Port Scan: Find SharePoint Instances
SharePoint Server runs on IIS and exposes web services on standard HTTP/HTTPS ports. Scan your network for:
- • 443 — HTTPS (primary web application port — where the vulnerability is exploitable)
- • 80 — HTTP (some deployments, often redirects to 443)
- • 2013 — SharePoint Central Administration (alternate port in some deployments)
- • 32843/32844 — SharePoint service applications (default ports for service app endpoints)
2. TLS Inspect: Identify SharePoint Certificates
Pull the TLS certificate on port 443. SharePoint Server instances typically present certificates with identifying characteristics:
- • Subject CN or SAN containing sharepoint, sp, or the organization's intranet domain
- • Issuer from an internal Active Directory Certificate Services CA
- • Wildcard certificates covering *.corp.example.com or similar internal domains
3. HTTP Headers: Fingerprint SharePoint and Determine Patch Level
SharePoint Server has highly distinctive HTTP response headers. Probe port 443 and look for:
- • MicrosoftSharePointTeamServices header — contains the exact SharePoint build number (e.g., 16.0.19725.20434). This header alone confirms SharePoint and reveals the installed version
- • X-SharePointHealthScore header — a numeric value (0–10) unique to SharePoint Server
- • SPRequestGuid header — a GUID present in SharePoint responses
- • Server: Microsoft-IIS/10.0 combined with the headers above confirms a SharePoint deployment
- • Response body containing SharePoint, _layouts/15/, or _api/web
The MicrosoftSharePointTeamServices header is the most valuable signal — compare the build number against the patched versions to determine vulnerability status: 16.0.19725.20434 (Subscription Edition), 16.0.10417.20175 (2019), 16.0.5561.1001 (2016). Builds below these numbers are vulnerable.
4. DNS: Discover SharePoint Infrastructure
Query internal DNS for common SharePoint naming patterns: sharepoint.*, sp.*, intranet.*, portal.*, teams.*, collab.*. SharePoint farms often have multiple web applications — check for separate DNS entries for My Sites (mysites.*), search (search.*), and individual site collections hosted on different IIS websites or servers.
5. CVE Lookup: Confirm the Advisory
Pull the full NVD entry for CVE-2026-56164 to track scoring updates — particularly as the NVD/Microsoft scoring disagreement may evolve. The same July 2026 patch batch addresses additional critical SharePoint vulnerabilities including CVE-2026-50522 (RCE, CVSS 9.8), CVE-2026-58644 (RCE, CVSS 9.8), and CVE-2026-55040 (security feature bypass, CVSS 9.1). All are fixed by the same July 14 KBs.
Cross-Reference with External Data
- SHODAN: Search http.headers:"MicrosoftSharePointTeamServices" to find internet-exposed SharePoint instances
- CVE LOOKUP: Check CVE-2026-56164, CVE-2026-50522, CVE-2026-58644, CVE-2026-55040 in NVD for updated scoring
- CISA KEV: Listed July 14, 2026 — remediation deadline July 17, 2026. Being exploited alongside CVE-2026-32201 and CVE-2026-45659
- MSRC: Microsoft Security Update Guide
Remediation
- Patch immediately. Install the July 14 security updates: KB5002882 (Subscription Edition), KB5002883 + KB5002885 (SharePoint 2019), KB5002891 + KB5002892 (SharePoint 2016). These KBs also fix 16 additional SharePoint vulnerabilities including three CVSS 9.1–9.8 RCE flaws. The CISA KEV deadline is July 17.
- Harden SharePoint Server. If not already enabled, configure AMSI (Antimalware Scan Interface) integration on SharePoint and set the Request Body Scan mode to Full (Subscription Edition). These are general SharePoint hardening measures that reduce attack surface.
- Verify the installed build number. Check the MicrosoftSharePointTeamServices HTTP header or run (Get-SPFarm).BuildVersion in SharePoint Management Shell. Confirm the build meets or exceeds: 16.0.19725.20434 (SE), 16.0.10417.20175 (2019), 16.0.5561.1001 (2016).
- Investigate for compromise. Active exploitation is confirmed. Check IIS logs for anomalous unauthenticated requests to privileged endpoints. Review Windows Security event logs for unexpected process creation from w3wp.exe.
- Verify older SharePoint patches. CVE-2026-32201 and CVE-2026-45659 are also CISA KEV-listed SharePoint vulnerabilities. Verify those patches are installed — multiple unpatched vulnerabilities compound the risk to SharePoint farms.
- Plan migration for 2016/2019. July 14 is the final security update for SharePoint Server 2016 and 2019 — no extended security updates are available. Begin migration to Subscription Edition or SharePoint Online to maintain future security coverage.
Every tool used in this investigation — port scan, TLS inspect, HTTP headers, DNS, CVE lookup — runs from your phone in RECON. Get it on the App Store.
Follow @hellorecon for new CVE investigations.
Sources
- → Microsoft Security Update Guide: CVE-2026-56164
- → NVD: CVE-2026-56164
- → CISA Known Exploited Vulnerabilities Catalog
- → KB5002882 — SharePoint Server Subscription Edition
- → KB5002883 — SharePoint Server 2019
- → KB5002891 — SharePoint Enterprise Server 2016
- → BleepingComputer: CISA warns admins to patch actively exploited SharePoint flaws
- → The Hacker News: Microsoft Patches Record 622 Flaws