CVE-2026-56164 is a moderate-severity elevation of privilege vulnerability in Microsoft SharePoint Server caused by missing authentication for a critical function. The flaw allows an unauthorized attacker to reach a privileged SharePoint function over the network without prior authentication and obtain elevated privileges within the affected SharePoint environment. Microsoft characterizes the issue as remotely exploitable with low attack complexity, no required privileges, and no user interaction. The vulnerability has been reported as exploited in the wild and affects on-premises SharePoint Server deployments, including SharePoint Server 2016, SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Microsoft SharePoint Server vulnerability affecting supported on-premises versions that is being actively exploited to gain unauthorized access; the activity involves remote code execution and post-exploitation persistence techniques.
A remotely exploitable elevation of privilege vulnerability in Microsoft SharePoint Server that is under active exploitation.
An elevation-of-privilege vulnerability in on-premises Microsoft SharePoint Server that allows unauthenticated remote privilege escalation over the network and is reported as exploited in attacks.
An actively exploited zero-day privilege escalation vulnerability in Microsoft SharePoint Server.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.