SharePoint is often treated as an internal productivity platform, but many businesses have older collaboration portals, partner sites or document workflows that still touch the internet. CISA’s 14 July alert is a reminder that those systems need the same operational discipline as firewalls, VPNs and backup platforms.

What CISA warned about

CISA said it is aware of active exploitation of CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164, a set of vulnerabilities that can enable unauthorised access to on-premises SharePoint Server instances. The agency says the issue affects supported versions and directs administrators to apply Microsoft updates and hardening guidance.

On the same day, CISA added four vulnerabilities to its Known Exploited Vulnerabilities catalog, including CVE-2026-56164 in Microsoft SharePoint Server and CVE-2026-56155 in Microsoft Active Directory Federation Services. It also listed two SonicWall SMA1000 appliance vulnerabilities. The common message is risk-based remediation: internet-facing identity, access and collaboration services should move first in the patch queue.

Cisco Talos’ July Patch Tuesday analysis provides useful context for prioritisation. Talos reported that Microsoft’s July 2026 security update covered 622 vulnerabilities, 57 marked critical, and that two vulnerabilities disclosed that month had been exploited in the wild. Those numbers do not mean every SMB should stop all work, but they do mean patching needs ownership and a tested process.

Why this matters to smaller businesses

A small company may not think of SharePoint as critical infrastructure. In practice it can hold contracts, HR files, project records, quotes, supplier documents and client data. If an exposed collaboration server is compromised, the incident quickly becomes a business-continuity problem as well as a security problem.

The most damaging failures are often operational rather than technical. A server is left directly reachable because it once solved a remote-work problem. Patches wait for a maintenance window that no one owns. Logs exist, but no one knows which events indicate exploitation. Backups are present, but restoration has not been tested since the last platform change.

That is why CISA’s recommendations go beyond simply installing patches. They include enabling and verifying Antimalware Scan Interface integration in full mode, reviewing telemetry for anomalous requests and webshells, rotating IIS machine keys only after hunting for intrusion artefacts, and avoiding direct internet exposure unless there is a strong reason.

A practical response plan

Start by identifying whether the organisation runs SharePoint Server, AD FS, SonicWall SMA1000 appliances or related externally reachable services. Include old portals, partner access, test systems and vendor-managed servers. If a service is exposed to the internet, record who owns it, what data it reaches, when it was last patched and what logs are retained.

Next, reduce exposure while remediation is underway. Where SharePoint must remain reachable, CISA recommends placing it behind a Layer 7 reverse proxy or equivalent application-layer control that requires authentication and can inspect traffic. Central Administration should not be externally accessible, and farm or database communications should be limited to required systems.

Then validate recovery. Confirm backups include the content databases, configuration and supporting services needed to rebuild. Test a restore path, document who can revoke sessions or rotate keys, and decide what evidence should be preserved before cleanup if compromise is suspected.

Where brianda.cloud fits

brianda.cloud can help SMBs turn this advisory into a controlled work plan: exposure review, firewall and reverse-proxy rules, patch coordination, identity checks, log monitoring and backup validation. The aim is not to overcomplicate a small environment, but to make the critical paths visible and owned.

For businesses in Portugal and the Azores, that can be especially useful where IT responsibility is shared between an internal generalist, a software supplier and a hosting or connectivity provider. A short, structured review can show which systems need urgent hardening and which can be scheduled without disrupting daily operations.

Sources

This brianda.cloud analysis is based on the public sources listed below. It is general operational guidance, not incident-specific forensic or legal advice.

Sources consulted for this analysis:

  1. CISA Urges SharePoint Hardening After New ExploitationsCybersecurity and Infrastructure Security Agency · 2026-07-14
  2. CISA Adds Four Known Exploited Vulnerabilities to CatalogCybersecurity and Infrastructure Security Agency · 2026-07-14
  3. Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilitiesCisco Talos · 2026-07-14