The SharePoint saga keeps growing. CVE-2026-56164 — patched Tuesday and confirmed exploited as a zero-day — went straight onto CISA's Known Exploited Vulnerabilities catalog the same day, joining CVE-2026-45659 (added earlier this month) and CVE-2026-32201 from April. All three affect every supported on-prem build: Subscription Edition, 2019, and 2016. CISA's advisory spells out how the attacks play out. Threat actors gain remote code execution, then steal IIS machine keys and lean on deserialization tricks to hold persistence and drop malware — the kind of foothold that survives a reboot and a naive cleanup. The federal patch clock is running, but the operational advice applies to everyone: apply the July updates, rotate machine keys if you suspect exposure, and assume a patch alone doesn't evict an attacker who already has your keys. This is the third time in three months on-prem SharePoint has landed on the exploited list. If you still run it yourself, this is your morning's work.