The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical security flaw in Microsoft SharePoint Server. Added to the Known Exploited Vulnerabilities (KEV) catalog on Thursday, this flaw necessitates immediate action from Federal Civilian Executive Branch (FCEB) agencies. These agencies are required to implement the necessary fixes by July 19, 2026, to protect their systems against potential exploits.
Details of the SharePoint Vulnerability
Identified as CVE-2026-58644, the vulnerability carries a CVSS score of 9.8, indicating its severity. It involves the deserialization of untrusted data, which allows attackers without authorization to execute arbitrary code. Microsoft’s advisory highlights that attackers could exploit this flaw remotely by posing as a Site Owner, thereby injecting and executing code on the SharePoint Server.
This vulnerability affects several versions of SharePoint Server, including the Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The flaw was addressed in the Patch Tuesday updates on July 14, 2026, with Microsoft confirming that this vulnerability was actively exploited as a zero-day before the patch release.
Active Exploitation and Additional Threats
CISA has noted that this vulnerability is not the only one under active exploitation. Alongside CVE-2026-58644, other SharePoint Server vulnerabilities like CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 are also being targeted. These vulnerabilities allow attackers to gain unauthorized access and execute remote code, furthering the risk of persistence and malware deployment.
The federal agency emphasizes the risk to all supported on-premises SharePoint Server versions, warning of techniques used by threat actors, such as stealing Internet Information Services (IIS) machine keys and using deserialization tactics to escalate attacks.
Recommended Mitigation Strategies
In response, CISA has provided a series of hardening measures. Agencies are urged to apply the latest security patches from Microsoft promptly and ensure successful installation. The use of Antimalware Scan Interface (AMSI) integration for each SharePoint web application is also recommended.
Additional steps include scanning for intrusion artifacts, rotating IIS machine keys, and establishing robust logging mechanisms to detect exploitation attempts. CISA advises against exposing SharePoint Servers directly to the internet, restricting access to necessary systems, and following Microsoft’s security-hardening guidance.
Furthermore, CISA has identified two critical vulnerabilities in Fortinet FortiSandbox, CVE-2026-25089 and CVE-2026-39808, adding them to the KEV catalog due to active exploitation reports. Federal agencies are once again urged to update their systems by July 19, 2026.
In light of these developments, it is imperative for organizations to act swiftly to secure their systems against these evolving threats.
