CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV

cisa-adds-exploited-sharepoint-rce-zero-day-cve-2026-58644-to-kev
CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV

Ravie LakshmananJul 17, 2026Vulnerability / Enterprise Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly patched security flaw impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 19, 2026.

The vulnerability in question is CVE-2026-58644 (CVSS score: 9.8), a critical deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute arbitrary code.

“In a network-based attack, an attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server,” Microsoft said in an advisory released earlier this week.

Redmond noted that the vulnerability is remotely exploitable over the internet, warning that the attack complexity is low for two reasons –

  • An attacker does not require significant prior knowledge of the system
  • An attacker can achieve repeatable success with the payload against the vulnerable component

The vulnerability impacts the following versions –

  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016

Patches for the flaw have been released as part of the Patch Tuesday updates released on July 14, 2026. Microsoft has since revised its bulletin to clarify that CVE-2026-58644 has been exploited in the wild, meaning the shortcoming was weaponized as a zero-day prior to the fixes becoming available.

The development comes as CISA warned of active exploitation of multiple SharePoint Server vulnerabilities, including  CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, and CVE-2026-58644, that could enable threat actors to gain unauthorized access to on-premises instances.

“These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware,” the federal cybersecurity watchdog noted.

CISA has outlined the following hardening measures to contain the threat –

  • Apply the latest patches and security updates from Microsoft, verify they have been installed successfully, and shorten patching cycles when possible.
  • Verify that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application.
  • Scan for and remove intrusion artifacts, including machine key harvesting tools, before rotating IIS machine keys to avoid the theft of the keys.
  • Establish tailored logging mechanisms to detect and monitor exploitation activities.
  • Avoid exposing SharePoint Servers directly to the internet unless necessary.
  • Block external access to SharePoint Central Administration, restrict farm and database communications to required systems, and review Microsoft’s SharePoint Server security-hardening guidance for role-specific ports, services, and Web.config settings.

On Thursday, the agency also added two critical security flaws impacting Fortinet FortiSandbox (CVE-2026-25089 and CVE-2026-39808) to the KEV catalog, following reports of active exploitation. Federal agencies have until July 19, 2026, to update their instances to the latest supported versions.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Leave a Reply

Your email address will not be published. Required fields are marked *