The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a severe vulnerability in Microsoft SharePoint, identified as CVE-2026-58644. This vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to active exploitation in cyberattacks.
Understanding the SharePoint Vulnerability
The flaw originates from a deserialization weakness that can enable remote code execution when untrusted data is improperly handled. This allows an attacker to run arbitrary code over a network without needing authentication, posing a significant threat to internet-exposed SharePoint servers commonly used in enterprises.
Classified under CWE-502, the vulnerability involves unsafe deserialization, where attackers exploit serialized objects sent to a system. If the application does not properly validate or sanitize this data, it can execute malicious payloads on the server.
Implications of the Exploited Flaw
Successful exploitation of this SharePoint vulnerability can enable attackers to establish initial access, deploy web shells, and further penetrate network defenses. CISA added this vulnerability to its KEV catalog on July 16, 2026, following confirmed incidents of active exploitation.
No direct link to specific ransomware campaigns has been confirmed; however, deserialization vulnerabilities are favored by ransomware operators and advanced threat groups due to their effectiveness and impact.
Recommended Mitigation Strategies
Federal agencies and organizations must prioritize addressing this vulnerability under Binding Operational Directive (BOD) 26-04, which stresses evaluating risk exposure and applying security updates promptly. Agencies should determine if their SharePoint instances are internet-facing and implement vendor-recommended measures.
CISA advises adhering to its Forensics Triage Requirements to identify potential compromises by reviewing logs and monitoring for unusual SharePoint activities, such as unauthorized file uploads or suspicious authentication patterns.
Microsoft has provided guidance to tackle this issue, and organizations are urged to apply recommended patches or mitigations immediately. If these are not feasible, discontinuing the use of the vulnerable service is advised until defenses are in place.
To enhance security, teams should implement additional measures like restricting external access to SharePoint servers, enabling endpoint detection and response tools, and conducting threat hunts to spot exploitation signs.
Given SharePoint’s widespread use across enterprises and government networks, the active exploitation of CVE-2026-58644 presents a major threat. Prompt patching, vigilant monitoring, and compliance with CISA guidelines are essential to mitigate this risk.
