Invaders
Back to Blog
Structured data rendered for: WebPage
INVADERS
Get Started

Share

Back to Blog
  1. Home
  2. Resources
  3. Blog
  4. vulnerability
  5. SharePoint RCE zero-day forces a July 19 incident-response deadline

SharePoint RCE zero-day forces a July 19 incident-response deadline

July 19, 2026
Lucas OliveiraLucas Oliveira
7 min read
SharePoint RCE zero-day forces a July 19 incident-response deadline

SharePoint RCE zero-day forces a July 19 incident-response deadline

Microsoft SharePoint Server administrators have another urgent on-premises exposure to handle. CISA added CVE-2026-58644 to its Known Exploited Vulnerabilities catalog on July 16, 2026, after evidence that attackers were exploiting the flaw in the wild. Federal civilian agencies were given until July 19, 2026 to apply fixes or mitigations.

The vulnerability is a critical deserialization issue in Microsoft Office SharePoint. NVD records it as CWE-502, assigns a CVSS 3.1 score of 9.8, and describes the impact plainly: an unauthorized attacker can execute code over a network. Microsoft released patches in the July 14, 2026 Patch Tuesday update, then the exploitation signal arrived quickly enough that this should not be treated as routine maintenance.

For defenders, the important point is not only that SharePoint needs patching. It is that an exploited remote code execution flaw on an on-premises collaboration server can become a persistence, credential, and data-access problem even after the initial bug is fixed.

What CVE-2026-58644 affects

CVE-2026-58644 affects supported on-premises Microsoft SharePoint Server editions, including:

  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016

NVD lists the vulnerability as deserialization of untrusted data in Microsoft Office SharePoint. The CVSS vector is:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

That means network reachable, low attack complexity, no privileges required, no user interaction, unchanged scope, and high confidentiality, integrity, and availability impact. In operational language, it is the shape of vulnerability that belongs at the front of a patch queue if the server is reachable from the internet or from a broad internal network.

The affected product category matters. SharePoint is not just a file portal. In many organizations it holds sensitive documents, internal workflows, forms, project sites, records, lists, and integration points into identity, email, Teams, Office automation, and line-of-business systems. Code execution on a SharePoint server can put a lot of trusted context within reach.

Why KEV changes the response

CISA KEV inclusion means defenders should assume exploitation is real, not speculative. CISA's July alert says multiple SharePoint Server vulnerabilities are under active exploitation and highlights post-exploitation activity such as IIS machine-key theft, deserialization techniques, persistence, and malware deployment.

That machine-key detail is the part that turns this from a patch task into an incident response task. ASP.NET machine keys can help attackers maintain access or forge trusted application state depending on how they are used and what was stolen. If an attacker harvested those keys before remediation, patching the vulnerable code may stop the entry point but not automatically remove the attacker's ability to reuse stolen material.

The right mental model is therefore:

  • patch SharePoint to close the known path
  • verify the patch and configuration steps actually completed
  • search for exploitation artifacts
  • remove webshells or tooling before rotating keys
  • rotate affected cryptographic material and secrets
  • reduce unnecessary exposure so the next SharePoint bug is harder to reach

Skipping the middle steps creates false confidence. A server can be patched and still carry compromise artifacts.

The on-premises SharePoint risk pattern

SharePoint Server has a recurring operational problem: it is business-critical, frequently customized, and often harder to patch cleanly than ordinary web software. Farms may depend on third-party components, custom web parts, legacy authentication, complex database topology, and maintenance windows negotiated with multiple business owners.

That makes emergency patching slower precisely where attackers expect delay. Internet-facing or partner-facing SharePoint systems are especially attractive because they sit between public access and internal content. Even when authentication is present, the system often carries trusted application identity, service accounts, document access, and high-value logs.

For security teams, the exposed-instance question is more important than the product name alone:

  • Which SharePoint farms are internet-facing?
  • Which farms are reachable through VPN, partner access, or broad internal networks?
  • Which editions and build numbers are running?
  • Which web applications have AMSI enabled?
  • Which farms host sensitive content, privileged workflows, or regulated data?
  • Which service accounts, database permissions, and integrations could be abused after code execution?

This is where exposure management should guide patch management. The highest priority systems are not necessarily the biggest farms. They are the reachable farms where code execution would give attackers the most useful authority.

What defenders should do first

Start with the farms that can be reached by untrusted users. Confirm the exact SharePoint edition, installed security update level, and whether the SharePoint Products Configuration Wizard or equivalent post-update configuration work has completed. SharePoint patching is not fully done just because a package installed successfully.

Then apply the immediate hardening steps CISA and Microsoft emphasize:

  • install the latest SharePoint security updates and verify installation
  • enable AMSI integration for each SharePoint web application
  • ensure Microsoft Defender Antivirus or equivalent protection is active where supported
  • remove direct internet exposure unless there is a clear business requirement
  • block external access to SharePoint Central Administration
  • restrict farm and database communications to required systems
  • review role-specific ports, services, and Web.config settings

Where SharePoint must remain externally reachable, put it behind strong access controls, WAF/CDN rules, identity enforcement, and monitoring. Those controls do not replace patching, but they reduce the blast radius of the next exploit chain.

Hunt before rotating keys

CISA's guidance to scan for and remove intrusion artifacts before rotating IIS machine keys is practical. If an attacker still has a webshell, scheduled task, modified web application file, or another foothold, key rotation becomes noisy housekeeping rather than recovery.

Teams should preserve and review:

  • IIS access logs
  • SharePoint ULS logs
  • Windows event logs
  • Defender or EDR telemetry
  • PowerShell execution logs
  • web root and layouts directory file changes
  • newly created scheduled tasks or services
  • unusual outbound connections from SharePoint servers
  • unexpected account creation, privilege changes, or service-account usage

Useful hunting questions include whether the server served suspicious requests around July 14 through July 19, whether any ASP.NET or SharePoint application files changed unexpectedly, whether machine-key access or export activity appears in telemetry, and whether the farm made outbound connections to unfamiliar infrastructure.

If suspicious activity appears, treat the SharePoint host as part of a broader investigation. Review connected SQL Server activity, service account usage, authentication logs, document access patterns, and any system that trusts the SharePoint farm.

Cloud SharePoint is a different question

The current issue is about on-premises SharePoint Server. SharePoint Online in Microsoft 365 follows a different service model and is not the same patching problem for customers. That distinction matters for communication: do not send a generic "SharePoint is vulnerable" alert to the whole organization without separating on-premises servers from cloud-hosted collaboration.

Asset teams should still verify hybrid dependencies. Many organizations run SharePoint Online for most users while keeping older on-premises farms for legacy workflows, migrations, records, intranet content, or third-party integrations. Those hidden farms are often the ones most likely to miss emergency patch attention.

Executive takeaway

CVE-2026-58644 is another reminder that on-premises collaboration platforms are high-value attack surfaces. A critical SharePoint RCE does not end at the web server. It can touch documents, identity, service accounts, integrations, cryptographic keys, and business workflows.

The mature response is fast and disciplined: identify exposed farms, patch and complete SharePoint configuration steps, enable AMSI and endpoint protection, remove unnecessary internet reachability, hunt for exploitation artifacts, and rotate machine keys only after suspicious tooling has been removed.

For any SharePoint Server that was exposed before remediation, the question should not be "did we install the update?" It should be "can we prove this farm is patched, hardened, and clean?"

What is CVE-2026-58644?

CVE-2026-58644 is a critical Microsoft SharePoint Server deserialization vulnerability that can allow code execution over a network.

Is it being exploited?

Yes. CISA added CVE-2026-58644 to the Known Exploited Vulnerabilities catalog on July 16, 2026 based on evidence of active exploitation.

Which SharePoint versions are affected?

Public advisories identify supported on-premises SharePoint Server editions, including Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.

What is the federal remediation deadline?

CISA lists a July 19, 2026 due date for affected U.S. federal civilian executive branch systems.

What should defenders do now?

Apply Microsoft's July 2026 SharePoint security updates, verify post-update configuration, enable AMSI, reduce exposure, hunt for webshells and machine-key theft, and rotate keys after removing any intrusion artifacts.

References

  1. NVD: CVE-2026-58644
  2. Microsoft Security Update Guide: CVE-2026-58644
  3. CISA Urges SharePoint Hardening After New Exploitations
  4. CISA Known Exploited Vulnerabilities Catalog entry for CVE-2026-58644
  5. CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV

FAQ

Tags:
vulnerability
CVE
Microsoft
SharePoint
Remote Code Execution
CISA KEV
Patch Management
Incident Response
L

Written by

Lucas Oliveira

Research

A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.

Hot TopicsLast 7 days

#Authentication Bypass
14 posts
#AI Security
11 posts
#Account Takeover
7 posts
#Active Exploitation
4 posts
#Access Control
3 posts
#API Security
3 posts
#Application Security
3 posts
#Authentication Tokens
3 posts
View all tags →

Categories

All ArticlesBusiness0Cloud & Application Security16Cloud Security1Cybercrime9Data Breach2Data Protection3Infostealer2Ransomware Groups2Ransomware Trends3Security3supply chain attack8Supply Chain Security5Threat Hunting & Intel32vulnerability102

Stay Updated

Get the latest cybersecurity insights delivered to your inbox.

INVADERS

Providing enterprise-grade cybersecurity solutions to protect organizations from evolving digital threats.

FacebookTwitterLinkedIn

Services

  • Web App Vulnerability Reports
  • Threat Hunting & Intelligence
  • Cybercrime & APT Tracking
  • Incident Response & Remediation

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Security Policy

Company

  • About Us
  • Careers
  • Blog
  • Press

© 2026 Invaders Cybersecurity. All rights reserved.

PrivacyTermsCookies