
Microsoft SharePoint Server administrators have another urgent on-premises exposure to handle. CISA added CVE-2026-58644 to its Known Exploited Vulnerabilities catalog on July 16, 2026, after evidence that attackers were exploiting the flaw in the wild. Federal civilian agencies were given until July 19, 2026 to apply fixes or mitigations.
The vulnerability is a critical deserialization issue in Microsoft Office SharePoint. NVD records it as CWE-502, assigns a CVSS 3.1 score of 9.8, and describes the impact plainly: an unauthorized attacker can execute code over a network. Microsoft released patches in the July 14, 2026 Patch Tuesday update, then the exploitation signal arrived quickly enough that this should not be treated as routine maintenance.
For defenders, the important point is not only that SharePoint needs patching. It is that an exploited remote code execution flaw on an on-premises collaboration server can become a persistence, credential, and data-access problem even after the initial bug is fixed.
CVE-2026-58644 affects supported on-premises Microsoft SharePoint Server editions, including:
NVD lists the vulnerability as deserialization of untrusted data in Microsoft Office SharePoint. The CVSS vector is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
That means network reachable, low attack complexity, no privileges required, no user interaction, unchanged scope, and high confidentiality, integrity, and availability impact. In operational language, it is the shape of vulnerability that belongs at the front of a patch queue if the server is reachable from the internet or from a broad internal network.
The affected product category matters. SharePoint is not just a file portal. In many organizations it holds sensitive documents, internal workflows, forms, project sites, records, lists, and integration points into identity, email, Teams, Office automation, and line-of-business systems. Code execution on a SharePoint server can put a lot of trusted context within reach.
CISA KEV inclusion means defenders should assume exploitation is real, not speculative. CISA's July alert says multiple SharePoint Server vulnerabilities are under active exploitation and highlights post-exploitation activity such as IIS machine-key theft, deserialization techniques, persistence, and malware deployment.
That machine-key detail is the part that turns this from a patch task into an incident response task. ASP.NET machine keys can help attackers maintain access or forge trusted application state depending on how they are used and what was stolen. If an attacker harvested those keys before remediation, patching the vulnerable code may stop the entry point but not automatically remove the attacker's ability to reuse stolen material.
The right mental model is therefore:
Skipping the middle steps creates false confidence. A server can be patched and still carry compromise artifacts.
SharePoint Server has a recurring operational problem: it is business-critical, frequently customized, and often harder to patch cleanly than ordinary web software. Farms may depend on third-party components, custom web parts, legacy authentication, complex database topology, and maintenance windows negotiated with multiple business owners.
That makes emergency patching slower precisely where attackers expect delay. Internet-facing or partner-facing SharePoint systems are especially attractive because they sit between public access and internal content. Even when authentication is present, the system often carries trusted application identity, service accounts, document access, and high-value logs.
For security teams, the exposed-instance question is more important than the product name alone:
This is where exposure management should guide patch management. The highest priority systems are not necessarily the biggest farms. They are the reachable farms where code execution would give attackers the most useful authority.
Start with the farms that can be reached by untrusted users. Confirm the exact SharePoint edition, installed security update level, and whether the SharePoint Products Configuration Wizard or equivalent post-update configuration work has completed. SharePoint patching is not fully done just because a package installed successfully.
Then apply the immediate hardening steps CISA and Microsoft emphasize:
Where SharePoint must remain externally reachable, put it behind strong access controls, WAF/CDN rules, identity enforcement, and monitoring. Those controls do not replace patching, but they reduce the blast radius of the next exploit chain.
CISA's guidance to scan for and remove intrusion artifacts before rotating IIS machine keys is practical. If an attacker still has a webshell, scheduled task, modified web application file, or another foothold, key rotation becomes noisy housekeeping rather than recovery.
Teams should preserve and review:
Useful hunting questions include whether the server served suspicious requests around July 14 through July 19, whether any ASP.NET or SharePoint application files changed unexpectedly, whether machine-key access or export activity appears in telemetry, and whether the farm made outbound connections to unfamiliar infrastructure.
If suspicious activity appears, treat the SharePoint host as part of a broader investigation. Review connected SQL Server activity, service account usage, authentication logs, document access patterns, and any system that trusts the SharePoint farm.
The current issue is about on-premises SharePoint Server. SharePoint Online in Microsoft 365 follows a different service model and is not the same patching problem for customers. That distinction matters for communication: do not send a generic "SharePoint is vulnerable" alert to the whole organization without separating on-premises servers from cloud-hosted collaboration.
Asset teams should still verify hybrid dependencies. Many organizations run SharePoint Online for most users while keeping older on-premises farms for legacy workflows, migrations, records, intranet content, or third-party integrations. Those hidden farms are often the ones most likely to miss emergency patch attention.
CVE-2026-58644 is another reminder that on-premises collaboration platforms are high-value attack surfaces. A critical SharePoint RCE does not end at the web server. It can touch documents, identity, service accounts, integrations, cryptographic keys, and business workflows.
The mature response is fast and disciplined: identify exposed farms, patch and complete SharePoint configuration steps, enable AMSI and endpoint protection, remove unnecessary internet reachability, hunt for exploitation artifacts, and rotate machine keys only after suspicious tooling has been removed.
For any SharePoint Server that was exposed before remediation, the question should not be "did we install the update?" It should be "can we prove this farm is patched, hardened, and clean?"
CVE-2026-58644 is a critical Microsoft SharePoint Server deserialization vulnerability that can allow code execution over a network.
Yes. CISA added CVE-2026-58644 to the Known Exploited Vulnerabilities catalog on July 16, 2026 based on evidence of active exploitation.
Public advisories identify supported on-premises SharePoint Server editions, including Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
CISA lists a July 19, 2026 due date for affected U.S. federal civilian executive branch systems.
Apply Microsoft's July 2026 SharePoint security updates, verify post-update configuration, enable AMSI, reduce exposure, hunt for webshells and machine-key theft, and rotate keys after removing any intrusion artifacts.
Written by
Research
A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.
Get the latest cybersecurity insights delivered to your inbox.