CISA Warns Attackers Are Exploiting Critical SharePoint RCE Vulnerability CVE-2026-58644


The U.S. Cybersecurity and Infrastructure Security Agency has warned that attackers are exploiting a critical Microsoft SharePoint Server vulnerability tracked as CVE-2026-58644.

The flaw allows an unauthenticated attacker to execute code remotely over a network. Microsoft assigned it a CVSS score of 9.8 out of 10 and released security updates on July 14, 2026.

CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on July 16. Federal civilian agencies must complete the required remediation by July 19, 2026.

What Is CVE-2026-58644?

CVE-2026-58644 is a deserialization vulnerability affecting supported on-premises editions of Microsoft SharePoint Server. The weakness falls under CWE-502, Deserialization of Untrusted Data.

According to the Microsoft security advisory, the vulnerability can allow an unauthorized attacker to execute code over a network. The attack does not require user interaction.

The published CVSS vector also describes an attack with network access, low complexity, no required privileges, and no user interaction. A successful exploit could affect the confidentiality, integrity, and availability of the server.

Vulnerability detailValue
CVE identifierCVE-2026-58644
SeverityCritical
CVSS score9.8
WeaknessCWE-502, Deserialization of Untrusted Data
Attack vectorNetwork
Privileges requiredNone
User interactionNone
Potential impactRemote code execution
Exploitation statusActively exploited

Which SharePoint Versions Are Affected?

The vulnerability affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. These are locally managed SharePoint products commonly deployed in enterprise and government data centers.

The National Vulnerability Database entry lists the vulnerable product versions and the fixed build thresholds supplied by Microsoft.

Microsoft 365 SharePoint Online is not among the affected products listed for CVE-2026-58644. Administrators should still confirm whether their organization operates hybrid environments or separate on-premises SharePoint farms.

SharePoint productVulnerable versionsMinimum fixed build listed by Microsoft
SharePoint Enterprise Server 2016Builds earlier than 16.0.5556.100516.0.5556.1005
SharePoint Server 2019Builds earlier than 16.0.10417.2015316.0.10417.20153
SharePoint Server Subscription EditionBuilds earlier than 16.0.19725.2038416.0.19725.20384

Administrators should verify installed update levels instead of assuming that automatic Windows updates have secured SharePoint. SharePoint security updates may require separate deployment and post-installation actions across every server in a farm.

How Unsafe Deserialization Leads to Code Execution

Serialization converts application objects into data that can be stored or transmitted. Deserialization reconstructs those objects when the application receives the data.

A vulnerable application may process a specially crafted serialized object without safely validating its content. An attacker can abuse this behavior to trigger unintended operations, including the execution of malicious code.

The official CVE-2026-58644 record states that deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network. Microsoft’s CVSS assessment indicates that exploitation can produce high-impact consequences across all three core security categories.

  • Execute commands in the SharePoint server environment
  • Write or modify files
  • Deploy web shells or other malware
  • Access SharePoint content and configuration data
  • Steal credentials or cryptographic material
  • Use the compromised server to reach other network systems

CISA confirmed active exploitation when it placed CVE-2026-58644 in the KEV catalog. Inclusion in that catalog means the agency has sufficient evidence that attackers have used the vulnerability in real-world operations.

The vulnerability forms part of a wider series of attacks against supported on-premises SharePoint Server editions. In its updated SharePoint security alert, CISA identified four vulnerabilities associated with remote code execution and post-exploitation activity.

CVERole in CISA’s SharePoint warning
CVE-2026-32201Part of the active SharePoint exploitation warning
CVE-2026-45659Part of the active SharePoint exploitation warning
CVE-2026-56164Part of the active SharePoint exploitation warning
CVE-2026-58644Critical remote code execution flaw added to KEV

CISA says observed post-exploitation activity has included stealing Internet Information Services machine keys, using deserialization techniques to maintain access, and deploying malware. The agency has not publicly attributed CVE-2026-58644 exploitation to a named threat group or specific ransomware operation.

Why Stolen SharePoint Machine Keys Matter

SharePoint relies on cryptographic machine keys to protect and validate application data. Attackers who obtain these keys may be able to create content that the server treats as trusted.

This can give an intruder a path back into the environment even after administrators install security updates. Patching closes the original vulnerability, but it does not automatically remove malware, stolen credentials, web shells, or persistence created before remediation.

Administrators should search for intrusion artifacts before rotating machine keys. Otherwise, malware left on the server could capture the replacement keys and preserve the attacker’s access.

CISA Sets a July 19 Federal Remediation Deadline

The CISA KEV entry for CVE-2026-58644 gives Federal Civilian Executive Branch agencies until July 19, 2026, to apply the required remediation.

CISA directs agencies to follow Microsoft’s instructions, its BOD 26-04 risk-based patching guidance, and its Forensics Triage Requirements. Agencies must also evaluate whether each vulnerable asset is exposed to the internet.

Private companies, state agencies, and other organizations are not directly bound by the federal deadline. However, CISA encourages all administrators to treat KEV vulnerabilities as urgent because attackers are already using them.

  1. Identify every SharePoint Server instance and record its installed build.
  2. Determine which servers are accessible from the public internet.
  3. Apply Microsoft’s latest SharePoint security updates.
  4. Confirm that the updates installed successfully on every farm server.
  5. Search for evidence of compromise before returning systems to normal operation.
  6. Remove malicious files, web shells, and machine-key harvesting tools.
  7. Rotate affected cryptographic keys after completing the initial investigation.
  8. Disconnect vulnerable servers if patches or mitigations cannot be applied.

Microsoft Patches Are Available

Microsoft released fixes for the three supported SharePoint Server product lines as part of its July 2026 security updates. Administrators should use the applicable update package for their installed SharePoint edition.

The CVE-2026-58644 update guide provides the vendor’s current remediation information. SharePoint farm administrators should review Microsoft’s installation requirements and complete any required configuration steps after applying the binaries.

If an organization cannot immediately install the updates, it should restrict external access and isolate the affected servers. CISA advises discontinuing use when recommended mitigations are unavailable.

Security Teams Should Hunt for Previous Exploitation

Installing the update should form one part of the response. Because attackers exploited the flaw before many organizations patched it, defenders should assume that an internet-facing vulnerable server may have received malicious requests.

Security teams should review SharePoint, IIS, endpoint, identity, firewall, and proxy logs. They should also inspect servers for unexpected files, unfamiliar processes, suspicious child processes, configuration changes, and unauthorized account activity.

CISA’s SharePoint hardening guidance recommends enabling Antimalware Scan Interface integration for every SharePoint web application. It also calls for scanning and removing intrusion artifacts before rotating IIS machine keys.

  • Confirm that AMSI integration is enabled for each SharePoint web application.
  • Inspect IIS and SharePoint logs for unusual requests and errors.
  • Investigate unexpected processes launched by SharePoint or IIS workers.
  • Search web directories for newly created or modified executable files.
  • Review privileged accounts and recent authentication activity.
  • Look for evidence of machine-key collection or credential theft.
  • Rotate machine keys only after removing malicious tooling.
  • Monitor the environment for renewed access after remediation.

Organizations that find evidence of exploitation should activate their incident-response procedures. They may need to isolate the SharePoint farm, preserve forensic evidence, reset credentials, rotate secrets, and examine connected systems for lateral movement.

FAQ

What is CVE-2026-58644?

CVE-2026-58644 is a critical deserialization vulnerability in Microsoft SharePoint Server that can allow an unauthenticated attacker to execute code remotely over a network.

Is CVE-2026-58644 being actively exploited?

Yes. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog after confirming exploitation in real-world attacks.

Which SharePoint versions are affected by CVE-2026-58644?

The vulnerability affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition builds older than Microsoft’s fixed versions.

Does CVE-2026-58644 affect SharePoint Online?

Microsoft’s affected-product list identifies supported on-premises SharePoint Server editions. SharePoint Online is not listed as an affected product for this CVE.

When is the CISA remediation deadline?

Federal Civilian Executive Branch agencies must complete the required remediation by July 19, 2026. Other organizations should also patch immediately because exploitation is active.

Is installing the SharePoint patch enough after suspected exploitation?

No. Administrators should also search for web shells, malware, stolen credentials, and machine-key theft. Cryptographic keys should be rotated after malicious artifacts have been removed.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages