Cyber Security

CISA Adds SharePoint Exploited RCE Zero-Day CVE-2026-58644 to KEV

IRavie LakshmananJuly 17, 2026Vulnerability / Business Security

The Cybersecurity and Infrastructure Security Agency (CISA) of the US on Thursday added a newly discovered security flaw affecting Microsoft SharePoint Server to its catalog known as Known Exploited Vulnerabilities (KEV), requiring Federal Civilian Executive Branch (FCEB) agencies to apply fixes by July 19, 2026.

The vulnerability in question CVE-2026-58644 (CVSS Score: 9.8), a critical disclosure of an untrusted data vulnerability that allows an unauthorized attacker to execute arbitrary code.

“In a network-based attack, an authenticated attacker who is at least a Site Owner, can write arbitrary code to inject and execute remote code on SharePoint Server,” Microsoft said in an advisory issued earlier this week.

Redmond noted that the vulnerability is exploitable remotely over the Internet, warning that the complexity of the attack is low for two reasons –

  • The attacker does not need significant prior knowledge of the system
  • An attacker can achieve repeatable success with a payload against a vulnerable component

The vulnerability affects the following versions –

  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016

Patches for the bug were released as part of the Patch Tuesday updates released on July 14, 2026. Microsoft has since updated its report to clarify that CVE-2026-58644 was exploited in the wild, meaning the bug was used as a zero-day before a fix was available.

The development comes as CISA warned of active exploitation of several SharePoint Server vulnerabilities, including CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, and CVE-2026-58644, which could enable malicious actors to gain unauthorized access.

“This vulnerability affects all SharePoint server-based versions (Subscription Edition, 2019, and 2016) and involves establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing Internet extraction techniques, to achieve Internet persistence,”

CISA has outlined the following enforcement measures to contain the menace –

  • Install the latest patches and security updates from Microsoft, ensure they are installed successfully, and minimize patching cycles when possible.
  • Ensure that the Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application.
  • Scan and remove incoming artifacts, including machine key harvesting tools, before rotating IIS machine keys to prevent key theft.
  • Create custom logging methods to detect and monitor exploits.
  • Avoid exposing SharePoint servers directly to the Internet unless absolutely necessary.
  • Block external access to SharePoint Central Administration, limit farm and database connections to required applications, and review guidance on strengthening Microsoft SharePoint Server security through specific ports, resources, and Web.config settings.

On Thursday, the organization also added two critical security flaws affecting Fortinet FortiSandbox (CVE-2026-25089 and CVE-2026-39808) to the KEV catalog, following reports of active exploits. Government agencies have until July 19, 2026, to update their standards to the latest supported versions.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button