Back to Feed
VulnerabilitiesJul 17, 2026

Fresh SharePoint Vulnerability Exploited Soon After Disclosure

Microsoft SharePoint critical RCE vulnerability CVE-2026-58644 actively exploited after disclosure.

Summary

A critical remote code execution vulnerability in Microsoft SharePoint (CVE-2026-58644, CVSS 9.8) is being actively exploited by threat actors shortly after disclosure in July 2026 Patch Tuesday updates. The deserialization flaw allows authenticated attackers with Site Owner privileges to execute arbitrary code on affected servers. CISA added the CVE to its Known Exploited Vulnerabilities catalog and mandated federal agencies patch within three days per BOD 26-04.

Full text

Threat actors have begun exploiting a fresh critical-severity remote code execution (RCE) vulnerability in Microsoft SharePoint, the US cybersecurity agency CISA warns. Tracked as CVE-2026-58644 (CVSS score of 9.8) and fixed as part of Microsoft’s July 2026 Patch Tuesday updates, the flaw is described as a deserialization of untrusted data issue. “In a network-based attack, an attacker authenticated as at least a Site Owner could write arbitrary code to inject and execute code remotely on the SharePoint Server,” Microsoft explains. Microsoft’s security updates resolved several other SharePoint defects, including CVE-2026-56164, which was flagged as exploited in the wild as a zero-day, and CVE-2026-55040, a critical security bypass weakness that could allow attackers to disclose files and modify data. Although CVE-2026-58644 was not initially marked as exploited, Microsoft has since updated its advisory to note that exploitation was detected and to update the vulnerability’s CVSS score. On Thursday, two days after warning of the risk posed by these SharePoint security defects, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within three days, as mandated by BOD 26-04.Advertisement. Scroll to continue reading. The cybersecurity agency also added to the KEV list CVE-2026-25089 and CVE-2026-39808, two OS command injection flaws in Fortinet FortiSandbox that were patched in June and April. Both security defects allow attackers to execute arbitrary code or commands on vulnerable appliances. In mid-June, exploit intelligence company Defused flagged both as exploited in the wild. In line with BOD 26-04 recommendations, federal agencies are required to patch the three exploited bugs within three days. Related: Legacy Systems, Real-World Impacts: The Reality of OT Security Related: Splunk, Zoom Patch Critical Vulnerabilities Related: F5 Patches Multiple NGINX, BIG-IP Vulnerabilities Related: Nightmare Eclipse Drops ‘LegacyHive’ Windows Zero-Day Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Old UEFI Shims Expose Systems to Secure Boot BypassNightmare Eclipse Drops ‘LegacyHive’ Windows Zero-Day Unpatched Cursor Vulnerability Exposes Users to Code ExecutionCISA Urges Immediate Patching of Exploited SharePoint VulnerabilitiesVulnerabilities Patched by Fortinet, Ivanti, ServiceNowProgress Confirms Zero-Day Vulnerability Behind ShareFile DisruptionCritical Vulnerabilities Patched With Fresh Chrome 150, Firefox 152 UpdatesMicrosoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days Latest News Coca-Cola Suspends US Fairlife Production Due to Ransomware AttackLegacy Systems, Real-World Impacts: The Reality of OT SecurityTwo Scattered Spider Hackers Sentenced to Jail in UKAI Data Centers Are Being Built Faster Than They Can Be Secured‘ClickLock Stealer’ Bypasses macOS Security With Social Engineering, Process KillingOak Emerges From Stealth Mode With $60 Million in FundingSplunk, Zoom Patch Critical VulnerabilitiesF5 Patches Multiple NGINX, BIG-IP Vulnerabilities Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 15, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveN-able has appointed Russell Rosa as Chief Revenue Officer.Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.F5 has appointed Cathy Peterman as Chief People Officer.More People On The MoveExpert Insights Legacy Systems, Real-World Impacts: The Reality of OT Security Legacy systems, safety concerns, and critical infrastructure risks make OT vulnerability disclosure one of cybersecurity's most challenging balancing acts. (Tod Beardsley) The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

  • cve — CVE-2026-58644
  • cve — CVE-2026-56164
  • cve — CVE-2026-55040
  • cve — CVE-2026-25089
  • cve — CVE-2026-39808

Entities

Microsoft SharePoint (product)Fortinet FortiSandbox (product)Microsoft (vendor)Fortinet (vendor)Remote Code Execution (RCE) (technology)