CISA Sounds the Alarm on Actively Exploited SharePoint Zero-Day
If your organization is still running on-premises Microsoft SharePoint servers, it is time to drop everything and check your update logs. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical SharePoint vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, placing a strict July 19, 2026, patching deadline on Federal agencies.
The Vulnerability: CVE-2026-58644 Carrying a massive CVSS severity score of 9.8 out of 10, CVE-2026-58644 is a critical “deserialization of untrusted data” flaw. In plain English, this means the SharePoint server fails to properly verify the safety of incoming data before processing it. If an attacker has at least “Site Owner” privileges, they can exploit this weakness over the network to inject and execute arbitrary code remotely on the server (RCE).
What makes this particularly dangerous is the low attack complexity. Microsoft noted that an attacker doesn’t need deep prior knowledge of the target system to achieve repeatable, reliable success with their payloads. Worse yet, Microsoft confirmed that this flaw was exploited in the wild as a true zero-day before they managed to roll out fixes during the mid-July Patch Tuesday updates.
Who is Affected and How to Mitigate The vulnerability impacts all supported on-premises versions, including Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
Cybersecurity authorities are urging organizations not to stop at just applying the patch. Because the vulnerability allows for post-exploitation persistence, administrators should actively scan their networks for intrusion artifacts. Threat actors often use this type of access to deploy malware or steal Internet Information Services (IIS) machine keys. CISA strongly recommends that organizations enable Antimalware Scan Interface (AMSI) integration for SharePoint web applications, verify that their servers are not directly exposed to the open internet unless absolutely necessary, and rotate their IIS machine keys—but only after confirming the server is clean.
