Critical Microsoft SharePoint Vulnerability Under Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-58644, a critical Microsoft SharePoint vulnerability, to its Known Exploited Vulnerabilities (KEV) catalog after confirming real-world attacks. The flaw, classified under CWE-502 (unsafe deserialization), allows unauthenticated remote code execution (RCE) when an attacker sends maliciously crafted serialized data to a vulnerable SharePoint server.
Exploitation of this vulnerability could enable threat actors to deploy web shells, move laterally within networks, or launch further attacks, posing severe risks to enterprise and government environments where SharePoint is widely used for document management and collaboration. While no specific ransomware campaigns have been linked to this flaw, deserialization vulnerabilities are a favored attack vector for both ransomware groups and advanced persistent threats (APTs) due to their reliability and high impact.
CISA added CVE-2026-58644 to the KEV catalog on July 16, 2026, mandating federal agencies to remediate the issue under Binding Operational Directive (BOD) 26-04. Organizations must assess whether their SharePoint instances are internet-facing and apply Microsoft’s patches or mitigations within CISA’s specified timeframe. If immediate fixes are not feasible, CISA recommends disabling the vulnerable service until protections are in place.
To detect potential compromises, security teams are advised to review logs, monitor for unusual SharePoint activity, and investigate indicators such as unexpected processes or unauthorized file uploads. Additional defensive measures include restricting external access to SharePoint servers, enabling endpoint detection and response (EDR) tools, and conducting threat hunting.
Given SharePoint’s prevalence in enterprise and government networks, the active exploitation of CVE-2026-58644 underscores the urgency of patching, continuous monitoring, and adherence to CISA’s directives to mitigate risks.
Source: https://cybersecuritynews.com/microsoft-sharepoint-code-execution-vulnerability-exploited/
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft_sharepoint
"id": "mic1784283944",
"linkid": "microsoft_sharepoint",
"type": "Vulnerability",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': ['Multiple'],
'location': 'Global',
'name': 'Microsoft SharePoint users (enterprise and '
'government environments)',
'type': ['Enterprise', 'Government']}],
'attack_vector': 'Remote',
'date_publicly_disclosed': '2026-07-16',
'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA) has added CVE-2026-58644, a critical Microsoft '
'SharePoint vulnerability, to its Known Exploited '
'Vulnerabilities (KEV) catalog after confirming real-world '
'attacks. The flaw allows unauthenticated remote code '
'execution (RCE) when an attacker sends maliciously crafted '
'serialized data to a vulnerable SharePoint server. '
'Exploitation could enable threat actors to deploy web shells, '
'move laterally within networks, or launch further attacks.',
'impact': {'operational_impact': 'Potential lateral movement, unauthorized '
'access, and further attacks',
'systems_affected': 'Microsoft SharePoint servers'},
'investigation_status': 'Ongoing',
'motivation': ['Ransomware', 'Advanced Persistent Threats (APTs)'],
'post_incident_analysis': {'corrective_actions': ['Patching',
'Disabling vulnerable '
'services',
'Enhanced monitoring'],
'root_causes': 'Unsafe deserialization '
'vulnerability (CWE-502)'},
'recommendations': ['Assess whether SharePoint instances are internet-facing',
'Apply Microsoft’s patches or mitigations',
'Restrict external access to SharePoint servers',
'Enable endpoint detection and response (EDR) tools',
'Conduct threat hunting'],
'references': [{'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'catalog'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA Binding '
'Operational Directive '
'(BOD) 26-04']},
'response': {'containment_measures': ['Disabling the vulnerable service if '
'immediate fixes are not feasible'],
'enhanced_monitoring': ['Review logs',
'Monitor for unusual SharePoint activity',
'Investigate indicators such as '
'unexpected processes or unauthorized '
'file uploads'],
'remediation_measures': ['Apply Microsoft’s patches or '
'mitigations']},
'stakeholder_advisories': 'Federal agencies mandated to remediate under BOD '
'26-04',
'title': 'Critical Microsoft SharePoint Vulnerability Under Active '
'Exploitation (CVE-2026-58644)',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-58644 (CWE-502 - Unsafe Deserialization)'}