Microsoft SharePoint on-premises exploited in July 2026: what should a Hawaii business do this weekend?
If your Hawaii business runs Microsoft SharePoint on its own servers — not the Microsoft 365 SharePoint Online version — you should assume attackers are already trying to break in this weekend. Microsoft, CISA, and multiple incident responders confirmed active exploitation of on-premises SharePoint Server on July 14, 2026. A 40-endpoint Honolulu accounting or law firm running an internet-reachable SharePoint 2019 farm should have the July 14 security update installed, the Antimalware Scan Interface turned on with full request-body scanning, and a written decision about migrating off SharePoint 2016 and 2019 by end of month.
Who this actually affects on Oahu, Maui, Big Island, and Kauai
SharePoint Online — the version bundled with Microsoft 365 Business Standard, Business Premium, and the E3/E5 plans — is not part of this problem. Microsoft runs and patches those servers. If your Hawaii firm only sees SharePoint content inside the Microsoft 365 portal, skim to the migration section at the bottom and move on with the weekend.
The firms that need to move now are the ones running SharePoint on servers physically in the office or in a Hawaii data center — common in 25 to 100-endpoint law firms, accounting firms, medical practices, construction firms with document-controlled project sites, government contractors, and financial services firms that stood up on-prem SharePoint years ago and never migrated. Three versions are in scope: SharePoint Server 2016, 2019, and Subscription Edition. If you cannot confidently name which is running, that is the first weekend action — ask the internal IT lead or MSP for the version and the last patch date.
What actually happened on July 14, 2026, in plain English
Microsoft’s July 2026 Patch Tuesday shipped fixes for several SharePoint problems at once. Two matter most for Hawaii owners. CVE-2026-56164 is a missing-authentication flaw in on-prem SharePoint Server that lets an attacker on the internet raise access with no login. Microsoft confirmed active exploitation and CISA added it to the Known Exploited Vulnerabilities catalog the same day with a July 17 federal deadline — a three-day window that speaks to the severity. CVE-2026-58644 is a critical remote code execution flaw in the same on-prem versions, patched in the same update. CISA also issued a joint hardening advisory covering three earlier SharePoint problems (CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164) that attackers are chaining to fully take over on-prem SharePoint farms.
The wrinkle that matters most for Hawaii firms: July 14, 2026 was the final security update for SharePoint Server 2016 and 2019. Extended support ended that day, and Microsoft is not offering paid extended security updates for these SharePoint versions the way it does for Windows Server or SQL Server. Any bug found after July 14 in 2016 or 2019 will not be patched. That is the migration deadline every Hawaii business on those versions has been quietly ignoring — and it just arrived.
The framework: how a Hawaii firm handles on-prem SharePoint this weekend in 6 steps
Six-step weekend playbook for a 25 to 100-endpoint Hawaii firm with on-prem SharePoint. Written so the office manager, controller, or managing partner can hand it to the internal IT lead or MSP and expect action, not a meeting.
1) Confirm whether SharePoint is on-prem, on Microsoft 365, or both
One question: does the firm run SharePoint Server anywhere other than Microsoft 365 — on its own hardware, a Hawaii data-center virtual machine, or a mainland hosting provider? If the answer is no, this advisory does not require weekend action. If yes or "not sure," proceed to step 2. Hybrid counts as yes for the on-prem side.
2) Install the July 14 security update on every SharePoint server in the farm
Fixed builds: 16.0.19725.20434 for Subscription Edition (KB5002882), 16.0.10417.20175 for SharePoint 2019 (KB5002883/KB5002885), and 16.0.5561.1001 for SharePoint 2016 (KB5002891/KB5002892). A SharePoint farm often has several servers — web, application, search, database — and each needs the update. Windows Update alone is not enough. After the binary install, the SharePoint Products Configuration Wizard has to complete on every server for the update to actually take effect.
3) Turn on AMSI and set request-body scanning to Full
Microsoft’s Antimalware Scan Interface integration lets Windows Defender inspect the body of incoming SharePoint web requests, not just headers — that is what catches the CVE-2026-56164 payload in real time. Set Request Body Scan mode to Full on every SharePoint web application. Temporary control if patching is not yet complete; permanent hardening either way.
4) Take internet-facing SharePoint off the open internet
For most 10 to 100-endpoint Hawaii firms there is no reason for SharePoint Central Administration to be reachable from the internet, and content sites should be reachable only through the firm’s VPN, a Cloudflare Access-style reverse proxy, or a Microsoft Entra Application Proxy. If your on-prem SharePoint is currently on the open internet, put an authenticated layer in front of it this weekend. That single change closes the front door on this class of attack.
5) Hunt for signs the attackers were already inside
Exploitation was confirmed before the patch shipped, so patching alone is not proof the firm is safe. Have the internal IT lead or MSP review IIS logs on each SharePoint server for unauthenticated requests to admin URLs, unexpected web shells under _layouts, new local administrator accounts, and any process spawned by w3wp.exe that does not belong. After the hunt is complete, rotate the IIS machine keys — Microsoft and CISA both warn attackers steal those keys during a SharePoint breach and use them to walk back in after the patch.
6) Write down the migration decision for SharePoint 2016 and 2019
If the firm is on SharePoint Server 2016 or 2019, this weekend’s patch is the last one. Three real options: migrate content to SharePoint Online in Microsoft 365, upgrade the on-prem farm to Subscription Edition, or retire the workload and move to OneDrive plus Microsoft Teams file libraries. Pick one, put a date on it, and put the decision in writing. Hawaii cyber insurance carriers writing renewals in Q3 and Q4 2026 will ask about end-of-support software — a written migration plan is what keeps the renewal on track.
What this looked like for a 40-endpoint Honolulu accounting firm on Friday
A 40-endpoint downtown Honolulu accounting firm — three partners, thirty staff, an on-prem SharePoint 2019 farm since 2018 — ran the weekend playbook after the July 14 CISA alert. Their SharePoint was reachable from the internet through a public DNS name so partners could pull files from client offices without a VPN. Common Hawaii setup, and exactly the exposure this advisory is about.
Baseline Friday morning: SharePoint Server 2019 at build 16.0.10417.20161, no AMSI integration, Central Administration on the open internet, no recent IIS log review, no written migration plan.
Actions between Friday 4:00 PM and Saturday 11:00 AM HST:
- Applied KB5002883 and ran the SharePoint Products Configuration Wizard on all three farm servers; verified build 16.0.10417.20175 on each.
- Enabled AMSI integration with Request Body Scan mode set to Full for every SharePoint web application.
- Removed Central Administration from public DNS and put the primary content site behind Microsoft Entra Application Proxy with MFA-required conditional access.
- Reviewed 21 days of IIS logs across the farm — no anomalous admin-URL requests, no unfamiliar
_layoutsfiles, no unexpected local accounts. Rotated IIS machine keys as a precaution. - Documented a migration plan: content moves to SharePoint Online under the firm’s existing Microsoft 365 Business Premium tenant by October 15, 2026, ahead of the January 2027 cyber insurance renewal.
Outcome by Saturday afternoon: Central Administration internet exposure from 24/7 to zero, patch level current, active mitigation in place, hunt complete with no indicators, insurance-defensible migration plan in the compliance file. All-in cost: about $4,800 in outside labor plus six hours of internal partner time. Cost of ignoring through Monday if the farm had been compromised: at minimum a $250,000 to $1.2 million incident on the ranges in our Hawaii ransomware cost analysis.
Why this framework, and who runs it
HI Tech Hui has run managed IT and cybersecurity engagements for Hawaii businesses since 2014, headquartered in Honolulu at 401 Kamakee Street, with a 24-hour Security Operations Center under the Cyberuptive brand. Microsoft 365 and on-prem Microsoft workloads — SharePoint, Exchange, Active Directory, Windows Server — are inside day-to-day scope, not a specialty carve-out.
The six-step playbook above is a compressed version of the runbook the SOC uses when CISA lists a KEV-grade vulnerability on a Microsoft workload our Hawaii clients rely on. It maps to the twelve-control framework in our Hawaii cyber insurance renewal checklist and the response-time expectations in our CISA KEV patching SLA for Hawaii SMBs — both of which we use to defend patching speed at renewal. Our team knows the Hawaii carriers, Chapter 487N breach-notification thresholds, and the realities of a Friday-afternoon change window on Oahu.
If you take one thing from this post
If your Hawaii business still runs SharePoint on its own servers — especially SharePoint 2016 or 2019 — treat this weekend as the last routine chance to patch and the start of a real migration decision, because the July 14, 2026 update is the final security fix Microsoft will ever ship for those two versions.
Frequently asked questions about the July 2026 SharePoint exploitation for Hawaii businesses
Does this affect SharePoint in Microsoft 365?
No. The exploitation described in Microsoft’s July 14, 2026 advisory and the CISA alert applies only to on-premises SharePoint Server 2016, 2019, and Subscription Edition. SharePoint Online, which is the version included with Microsoft 365 Business Standard, Business Premium, and the enterprise plans, is run and patched by Microsoft and is not part of this advisory. Hybrid deployments that keep an on-prem SharePoint farm alongside SharePoint Online still need to patch the on-prem side this weekend.
How do we know if we have on-prem SharePoint?
Ask the internal IT lead or managed IT provider. On-prem SharePoint typically runs on Windows Server in the office or a Hawaii data center, uses a SQL Server database, and is reached at a URL like sharepoint.yourfirm.com — not the office.com portal. If SharePoint is only accessed from the Microsoft 365 app launcher, it is SharePoint Online and this advisory does not apply.
What is the CISA deadline for Hawaii businesses?
CISA set July 17, 2026 for federal civilian agencies. That deadline is not legally binding on a Hawaii private-sector firm, but it is a reasonable outer bound given confirmed active exploitation. Patching within seven days of a KEV listing is the working standard cyber insurance carriers now expect — a weekend patch cycle satisfies it.
Can we just take SharePoint offline while we plan?
Yes. If the July 14 update and Configuration Wizard cannot complete within 24 to 48 hours, disconnecting the SharePoint farm from the internet — while leaving internal LAN or VPN access working — is a reasonable temporary control. It does not remove the vulnerability, but it removes the class of attacker exploiting it right now. Patch on Monday if the weekend window is not available.
How much does this weekend response cost for a Hawaii SMB?
For a 25 to 60-endpoint Hawaii firm with a single-farm on-prem SharePoint deployment, an outside emergency engagement to patch, harden, hunt, and document typically lands in the $3,500 to $8,500 range depending on how many servers are in the farm. A small fraction of a real ransomware incident cost, and it produces a defensible paper trail for the next cyber insurance renewal.
What about SharePoint 2016 and 2019 after this weekend?
Both versions reached end of extended support on July 14, 2026, with no paid extended security updates available — unlike Windows Server or SQL Server. Any SharePoint bug found after July 14 in the 2016 or 2019 code base will not be patched. The three real options are migrate to SharePoint Online in Microsoft 365, upgrade the on-prem farm to Subscription Edition, or retire SharePoint entirely. Pick one and put a target date on it before Q3 closes.
What is AMSI, and do we really need to turn it on?
The Antimalware Scan Interface lets Windows Defender inspect the body of every incoming HTTP request to a SharePoint web application before code runs. Turning it on with Request Body Scan mode set to Full is one of the specific mitigations Microsoft and CISA both recommend for CVE-2026-56164, and it works even while patching is in progress. Low-risk, high-value hardening every on-prem SharePoint farm should carry regardless.
Where does this sit against the SonicWall SMA1000 advisory from earlier this week?
Both are CISA-listed, both are being actively exploited, and both hit the perimeter of a Hawaii business network — but they are separate incidents. See our SonicWall SMA1000 write-up for the VPN appliance side. If your firm runs both an on-prem SharePoint farm and a SonicWall SMA1000 for remote access, both are on the same weekend priority list and both need documented completion this week.