CISA has added CVE-2026-58644, a critical Microsoft SharePoint Server remote code execution vulnerability, to its Known Exploited Vulnerabilities catalog after Microsoft confirmed exploitation in the wild. For organizations still running on-premises SharePoint, the practical takeaway is simple: Treat this as an incident-response priority, not a routine maintenance ticket.

The vulnerability carries a CVSS score of 9.8 and affects supported on-premises SharePoint Server versions, including SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft released fixes in its July 14, 2026 Patch Tuesday updates, and CISA is requiring U.S. Federal Civilian Executive Branch agencies to remediate by July 19, 2026. That short window is a strong signal for private-sector defenders as well: exposed or business-critical SharePoint deployments should move to emergency patching and validation.

What CVE-2026-58644 enables

CVE-2026-58644 is described as a deserialization of untrusted data flaw. In practical terms, vulnerable SharePoint servers may process attacker-controlled data in a way that allows code execution on the server. Microsoft has stated that exploitation requires the attacker to be authenticated at least as a Site Owner, but the bug is remotely exploitable over the network and has low attack complexity.

That combination matters. SharePoint environments often have many delegated site owners, legacy permission models, partner accounts, and integrations. If any privileged site account is compromised through phishing, password reuse, token theft, or a third-party identity issue, a remote code execution flaw can turn an application-level compromise into server-level control.

Why the KEV listing raises urgency

CISA's KEV catalog is not a theoretical watchlist. It is reserved for vulnerabilities with evidence of active exploitation and a clear remediation action. When a vulnerability appears there, defenders should assume that exploit knowledge is circulating or operationalized by at least some threat actors.

The situation is especially sensitive because CISA has separately warned about active exploitation of multiple SharePoint Server vulnerabilities, including CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, and CVE-2026-58644. Reported post-exploitation behavior includes attempts to steal Internet Information Services machine keys, abuse deserialization techniques, gain persistence, and deploy malware. Machine key theft is particularly dangerous because it can allow attackers to forge trusted application data even after a simple patch, depending on the environment and what was taken.

Immediate action checklist

Security and infrastructure teams should prioritize the following steps:

  1. Identify every on-premises SharePoint server. Include disaster recovery systems, test farms, externally accessible portals, and servers managed by business units outside central IT.
  1. Apply Microsoft's July 2026 security updates. Patch SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 instances as applicable. Do not rely only on Windows Update reporting; verify SharePoint build levels and update completion.
  1. Confirm successful remediation. Review installation logs, run SharePoint configuration steps where required, and validate that farm services are healthy after patching. A failed or partially applied SharePoint update can leave systems unstable or still exposed.
  1. Hunt before rotating secrets. CISA recommends scanning for intrusion artifacts, including tools used for machine key harvesting, before rotating IIS machine keys. If an attacker still has access when keys are rotated, they may simply steal the new values.
  1. Enable and verify AMSI integration. Antimalware Scan Interface integration should be enabled for each SharePoint web application. This does not replace patching, but it can improve inspection of suspicious content and script activity.
  1. Reduce internet exposure. If SharePoint does not need to be directly reachable from the public internet, place it behind a VPN, zero-trust access broker, reverse proxy with strong controls, or another access gateway. At minimum, block external access to Central Administration.
  1. Tighten farm and database communications. Restrict SharePoint farm, SQL Server, and administrative traffic to required systems and ports. Review Microsoft hardening guidance for role-specific services, ports, and Web.config settings.
  1. Increase logging and detection. Centralize SharePoint, IIS, Windows event, identity provider, endpoint, and network telemetry. Look for unusual site-owner actions, unexpected file writes, suspicious child processes, web shell patterns, abnormal authentication, and requests to administrative endpoints.

What to investigate if you may already be exposed

Organizations with internet-facing SharePoint should assume that patching alone may not be enough. Start by reviewing the period before and immediately after July 14, 2026, when fixes became available. Focus on anomalous authenticated activity from Site Owner accounts, unexpected changes to SharePoint pages or web parts, suspicious uploads, unknown scheduled tasks, unusual PowerShell execution, IIS worker process child processes, and unexplained changes to machine keys or configuration files.

If there are signs of compromise, preserve logs and disk evidence before making destructive changes. Rotate credentials, service account secrets, certificates, and IIS machine keys only as part of a coordinated containment plan. Consider engaging incident response support if SharePoint is internet-facing, handles sensitive data, or is integrated with identity and document-management workflows.

Bottom line

CVE-2026-58644 is a critical SharePoint Server vulnerability with confirmed exploitation, a KEV deadline, and realistic paths from compromised site privileges to deeper server compromise. Treat on-premises SharePoint as a high-priority asset this week: patch, verify, hunt, harden, and reduce exposure.

Source: The Hacker News source