Back to Feed
Zero-dayJul 17, 2026

CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV

CISA adds exploited SharePoint RCE zero-day CVE-2026-58644 to KEV catalog with July 19 deadline.

Summary

CISA added CVE-2026-58644, a critical deserialization vulnerability in Microsoft SharePoint Server (CVSS 9.8), to its Known Exploited Vulnerabilities catalog after confirming active in-the-wild exploitation. The flaw allows authenticated attackers with Site Owner privileges to execute arbitrary code remotely with low complexity. Federal agencies must patch by July 19, 2026, as CISA reports concurrent exploitation of multiple SharePoint vulnerabilities enabling RCE and post-exploitation activities including malware deployment.

Full text

CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV Ravie LakshmananJul 17, 2026Vulnerability / Enterprise Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly patched security flaw impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 19, 2026. The vulnerability in question is CVE-2026-58644 (CVSS score: 9.8), a critical deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute arbitrary code. "In a network-based attack, an attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server," Microsoft said in an advisory released earlier this week. Redmond noted that the vulnerability is remotely exploitable over the internet, warning that the attack complexity is low for two reasons - An attacker does not require significant prior knowledge of the system An attacker can achieve repeatable success with the payload against the vulnerable component The vulnerability impacts the following versions - Microsoft SharePoint Server Subscription Edition Microsoft SharePoint Server 2019 Microsoft SharePoint Enterprise Server 2016 Patches for the flaw have been released as part of the Patch Tuesday updates released on July 14, 2026. Microsoft has since revised its bulletin to clarify that CVE-2026-58644 has been exploited in the wild, meaning the shortcoming was weaponized as a zero-day prior to the fixes becoming available. The development comes as CISA warned of active exploitation of multiple SharePoint Server vulnerabilities, including CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, and CVE-2026-58644, that could enable threat actors to gain unauthorized access to on-premises instances. "These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware," the federal cybersecurity watchdog noted. CISA has outlined the following hardening measures to contain the threat - Apply the latest patches and security updates from Microsoft, verify they have been installed successfully, and shorten patching cycles when possible. Verify that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application. Scan for and remove intrusion artifacts, including machine key harvesting tools, before rotating IIS machine keys to avoid the theft of the keys. Establish tailored logging mechanisms to detect and monitor exploitation activities. Avoid exposing SharePoint Servers directly to the internet unless necessary. Block external access to SharePoint Central Administration, restrict farm and database communications to required systems, and review Microsoft's SharePoint Server security-hardening guidance for role-specific ports, services, and Web.config settings. On Thursday, the agency also added two critical security flaws impacting Fortinet FortiSandbox (CVE-2026-25089 and CVE-2026-39808) to the KEV catalog, following reports of active exploitation. Federal agencies have until July 19, 2026, to update their instances to the latest supported versions. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  enterprise security, Microsoft, network security, remote code execution, server security, SharePoint, Vulnerability, Zero-Day ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls

Indicators of Compromise

  • cve — CVE-2026-58644
  • cve — CVE-2026-32201
  • cve — CVE-2026-45659
  • cve — CVE-2026-56164
  • cve — CVE-2026-25089
  • cve — CVE-2026-39808

Entities

Microsoft (vendor)SharePoint Server (product)FortiSandbox (product)Fortinet (vendor)Remote Code Execution (RCE) (technology)