- CISA added a critical Microsoft SharePoint Server vulnerability, CVE-2026-58644, to its Known Exploited Vulnerabilities catalog.
- The flaw allows unauthenticated remote code execution and has been exploited in the wild as a zero-day.
- Federal agencies must apply patches by July 19, 2026, while CISA also warned of active exploitation of three other SharePoint Server vulnerabilities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly patched security flaw impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to apply fixes by July 19, 2026. The vulnerability, tracked as CVE-2026-58644, carries a CVSS score of 9.8 and involves a critical deserialization of untrusted data issue that allows an unauthorized attacker to execute arbitrary code.
Microsoft noted that an attacker authenticated as at least a Site Owner could, “write arbitrary code to inject and execute code remotely on the SharePoint Server.” The tech giant further explained that the attack complexity is low because an attacker requires no significant prior knowledge of the system and can achieve repeatable success with a payload.
The vulnerability impacts Microsoft SharePoint Server Subscription Edition, 2019, and Enterprise Server 2016. Patches for the flaw were released as part of the July 14, 2026 Patch Tuesday updates, and Microsoft has since revised its advisory to confirm exploitation in the wild. Consequently, CISA also warned of active exploitation across multiple SharePoint Server vulnerabilities, including CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, which threaten all supported on-premises versions.
The federal watchdog outlined that these vulnerabilities facilitate remote code execution and post-exploitation activities, such as stealing IIS machine keys to gain persistence and deploy malware. CISA has issued hardening measures including applying the latest patches, ensuring Antimalware Scan Interface integration is enabled, rotating IIS machine keys after scanning for intrusion artifacts, and avoiding direct internet exposure of SharePoint Servers. Meanwhile, the agency also added two critical flaws impacting Fortinet FortiSandbox to the KEV catalog following reports of active exploitation.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
