The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw affecting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog. This development mandates that Federal Civilian Executive Branch (FCEB) agencies must implement necessary patches by July 19, 2026, to mitigate the risk posed by this SharePoint Server vulnerability.
The vulnerability, identified as CVE-2026-58644, carries a CVSS score of 9.8, classifying it as critical. It stems from an untrusted data deserialization issue, empowering an unauthenticated attacker to execute arbitrary code remotely on a vulnerable SharePoint Server. Microsoft’s advisory indicates that an attacker authenticated as at least a Site Owner could exploit this to inject and run malicious code.
Critical SharePoint Server Vulnerability Added to CISA’s KEV Catalog
The inclusion of CVE-2026-58644 in CISA’s KEV catalog highlights the immediate threat posed to organizations utilizing specific versions of Microsoft SharePoint Server. The vulnerability’s network-based attack vector, coupled with low attack complexity, makes it a significant concern for enterprise security. Microsoft has indicated that exploitation is repeatable against the vulnerable component with minimal prior knowledge required from the attacker.
This critical flaw impacts several widely used versions of Microsoft SharePoint Server, including Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016. The patches for this vulnerability were made available by Microsoft as part of their July 14, 2026, Patch Tuesday updates.
Significantly, Microsoft has revised its bulletin to confirm that CVE-2026-58644 has already been exploited in the wild. This means the vulnerability was weaponized as a zero-day exploit before official fixes were distributed, underscoring the urgency for agencies to apply the patches.
Multiple SharePoint Server Vulnerabilities Under Active Exploitation
The addition of CVE-2026-58644 follows a broader warning from CISA concerning the active exploitation of several other SharePoint Server vulnerabilities. These include CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. This cluster of exploitable flaws could allow threat actors to gain unauthorized access to on-premises SharePoint Server instances.
According to CISA, these vulnerabilities affect all supported on-premises SharePoint Server versions. The exploitation can lead to remote code execution (RCE) and post-exploitation activities. These activities may include the theft of Internet Information Services (IIS) machine keys and the deployment of malware through deserialization techniques, enabling attackers to gain persistence within compromised systems.
Mitigation and Hardening Measures for SharePoint Servers
To help contain these threats, CISA has outlined a series of hardening measures for federal agencies. The agency strongly advises applying the latest Microsoft patches and security updates as soon as possible and verifying their successful installation. Reducing patching cycles is also recommended to minimize the window of exposure.
Further mitigation steps include verifying that Antimalware Scan Interface (AMSI) integration is enabled for all SharePoint web applications. Agencies are also urged to scan for and remove any existing intrusion artifacts, such as machine key harvesting tools, before rotating IIS machine keys to prevent their subsequent theft. Establishing tailored logging mechanisms to monitor for and detect exploitation activities is also a key recommendation.
In terms of network security, CISA advises against exposing SharePoint Servers directly to the internet unless absolutely necessary. Blocking external access to SharePoint Central Administration and restricting farm and database communications to only essential systems are also critical steps. Reviewing Microsoft’s comprehensive SharePoint Server security hardening guidance for role-specific ports, services, and Web.config settings is paramount for robust defense.
In related news, CISA also recently added two critical security flaws impacting Fortinet FortiSandbox appliances to the KEV catalog, CVE-2026-25089 and CVE-2026-39808, due to reports of their active exploitation. Federal agencies are similarly required to update these Fortinet instances by July 19, 2026, to the latest supported versions.
The ongoing addition of critical vulnerabilities to CISA’s KEV catalog, particularly those affecting widely used enterprise software like Microsoft SharePoint Server, underscores the persistent and evolving threat landscape. Federal agencies must diligently adhere to the mandated patching deadlines to secure their systems against active exploitation. The next expected step will be continued monitoring for any new exploitations or advanced threat actor tactics targeting these platforms.

