CISA Adds Actively Exploited SharePoint Zero-Day CVE-2026-58644 to Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly patched critical Microsoft SharePoint Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming it was weaponized in the wild before a patch was available. Federal civilian agencies have been given until July 19, 2026 to apply the necessary fixes.
What the Vulnerability Does?
Tracked as CVE-2026-58644 with a near-maximum CVSS score of 9.8, the flaw is a deserialization of untrusted data vulnerability that enables remote code execution on affected SharePoint Server installations. An attacker who has been authenticated with at least Site Owner permissions can inject and execute arbitrary code directly on the server over a network connection.
Microsoft highlighted two factors that make this vulnerability particularly dangerous: attackers do not need deep prior knowledge of the targeted system, and the exploit can be reliably repeated against vulnerable instances. The vulnerability affects all currently supported on-premises versions of SharePoint, including SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
A patch was released as part of Microsoft's July 2026 Patch Tuesday update on July 14. Microsoft subsequently revised its advisory to confirm the vulnerability had already been exploited in the wild as a zero-day before the patch was made available.
Broader SharePoint Threat Landscape
The KEV addition comes alongside a broader CISA warning about a surge in active exploitation targeting on-premises SharePoint Server deployments. Beyond CVE-2026-58644, attackers have also been observed exploiting CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, a cluster of vulnerabilities that collectively enable remote code execution and a range of post-exploitation techniques.
CISA noted that threat actors are specifically abusing these flaws to steal Internet Information Services (IIS) machine keys and perform deserialization attacks, allowing them to gain persistence and deploy malware on compromised servers.
Hardening Recommendations
CISA outlined a series of concrete steps organizations should take to reduce their exposure. These include applying the latest Microsoft patches and verifying their successful installation, enabling Antimalware Scan Interface (AMSI) integration for each SharePoint web application, scanning for and removing any intrusion artifacts before rotating IIS machine keys to prevent credential theft, and establishing tailored logging to detect exploitation activity.
On the network side, CISA strongly advises against exposing SharePoint Servers directly to the internet unless absolutely necessary, blocking external access to SharePoint Central Administration, and restricting farm and database communications to only the systems that require them.
Also: Two Fortinet FortiSandbox Flaws Added to KEV
In the same advisory update, CISA also added two critical vulnerabilities in Fortinet FortiSandbox CVE-2026-25089 and CVE-2026-39808 to the KEV catalog following reports of active exploitation. Federal agencies face the same July 19, 2026 deadline to update their FortiSandbox installations to the latest supported versions.
Comments
Post a Comment