US Cybersecurity and Infrastructure Security Agency (CISA) has added the actively exploited Microsoft SharePoint Server vulnerability tracked as CVE 2026 58644 to its Known Exploited Vulnerabilities (KEV) catalog after Microsoft confirmed that the flaw had been exploited as a zero day before security updates became available. The vulnerability, which carries a CVSS severity score of 9.8, affects supported on premises versions of Microsoft SharePoint Server and allows remote code execution through a deserialization of untrusted data weakness. CISA has directed Federal Civilian Executive Branch agencies to apply Microsoft’s security updates by July 19, 2026, following the inclusion of the vulnerability in the KEV catalog. Microsoft released patches for the issue as part of its July 14, 2026 Patch Tuesday updates and later revised its advisory to confirm active exploitation in real world attacks before the fixes were made publicly available.
According to Microsoft, CVE 2026 58644 can be exploited by an attacker who has at least Site Owner level authentication on a SharePoint Server. Once authenticated, the attacker can inject and execute arbitrary code remotely on the vulnerable server. Microsoft also warned that the vulnerability is remotely exploitable over the internet and described the attack complexity as low because attackers do not require significant prior knowledge of the targeted environment and can reliably reproduce successful exploitation attempts. The affected products include Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016. The company urged organizations running these versions to install the latest security updates immediately to reduce the risk of compromise. Microsoft’s updated advisory confirmed that threat actors had already weaponized the vulnerability before patches became available, increasing the urgency for organizations to deploy the released fixes without delay.
CISA also warned that CVE 2026 58644 is one of several SharePoint Server vulnerabilities currently being exploited in active attacks. The agency identified CVE 2026 32201, CVE 2026 45659, CVE 2026 56164, and CVE 2026 58644 as vulnerabilities that could allow attackers to gain unauthorized access to on premises SharePoint deployments. According to the agency, attackers are using these flaws not only to achieve remote code execution but also to conduct post exploitation activities, including stealing Internet Information Services machine keys, abusing deserialization techniques to establish persistence, and deploying malware within compromised environments. To reduce exposure, CISA advised organizations to install all available Microsoft security updates, verify successful deployment of patches, and shorten patch management cycles where possible. The agency also recommended enabling Antimalware Scan Interface integration for every SharePoint web application, scanning systems for evidence of compromise before rotating Internet Information Services machine keys, implementing enhanced logging to detect suspicious activity, avoiding direct internet exposure of SharePoint servers whenever possible, restricting access to SharePoint Central Administration, limiting farm and database communications to required systems, and reviewing Microsoft’s SharePoint Server security hardening guidance for ports, services, and configuration settings.
In addition to the SharePoint vulnerability, CISA expanded its Known Exploited Vulnerabilities catalog by adding two critical security flaws affecting Fortinet FortiSandbox. The vulnerabilities, tracked as CVE 2026 25089 and CVE 2026 39808, were included following reports of active exploitation. Federal agencies have also been instructed to update affected FortiSandbox deployments to supported versions by July 19, 2026. The latest additions to the KEV catalog reflect ongoing efforts by CISA to alert organizations about vulnerabilities that are actively being targeted by threat actors and to encourage timely remediation of high risk security flaws. With multiple enterprise technologies currently facing active exploitation, organizations are being urged to prioritize patch deployment, strengthen security monitoring, and implement recommended hardening measures to reduce the likelihood of successful attacks against critical business infrastructure.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.