CISA Flags SharePoint Zero-Day CVE-2026-58644 With 48-Hour Patch Window
Every old harbour has that one wooden pier the locals keep patching plank by plank. Ships still tie up, cargo still moves, but every winter storm rips out another board and someone runs for the nails. On-premises SharePoint is that pier. Thursday's news is just the latest missing plank.
CISA added CVE-2026-58644, a critical SharePoint Server remote code execution flaw, to its Known Exploited Vulnerabilities catalog on July 17, 2026, and told Federal Civilian Executive Branch agencies they had until July 19 to close it. Two days. That's the kind of deadline you only see when the water is already coming over the boards.
What Happened
The vulnerability carries a CVSS score of 9.8, which is about as red as the dial goes. Microsoft classifies it as a critical deserialization of untrusted data bug that lets an unauthorised attacker execute arbitrary code on the SharePoint Server. Redmond's own advisory language, quoted in the reporting, spells it out: "In a network-based attack, an attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server."
Patches shipped as part of the July 14, 2026 Patch Tuesday drop, but Microsoft later revised its bulletin to admit the flaw had been exploited in the wild as a zero-day before those fixes were available, as The Hacker News reported. That "revised the bulletin" phrasing is doing a lot of heavy lifting, by the way. It means somebody was already inside before defenders got the memo.
The affected estate is the whole on-prem lineup: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. CISA also flagged three sibling CVEs (CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164) as part of the same active-exploitation cluster, and warned that the post-exploitation playbook includes stealing IIS machine keys and chaining further deserialization tricks to gain persistence and drop malware.
For good measure, CISA piled two Fortinet FortiSandbox flaws (CVE-2026-25089 and CVE-2026-39808) onto the KEV catalog the same day, with the same July 19 federal deadline. Thursday was not a quiet day for anyone running an emergency change window.
Technical Anatomy
Deserialization bugs are the cockroaches of enterprise security. You can spray for them for a decade and they'll still be behind the fridge. The pattern is always the same: some component accepts a serialized blob (a .NET object graph, a ViewState payload, a cached ASP.NET session) and rehydrates it into live objects without properly checking what type it's about to instantiate. Give the deserializer a gadget chain and you can turn "load this object" into "run this code" in one hop.
On SharePoint, that dance is made worse by IIS machine keys. The machine key is the shared secret used to sign and encrypt ViewState and other server-side blobs. Anyone who has done incident response on an ASP.NET server knows the pattern: once an attacker has the machine key, they can forge signed ViewState payloads at will, feed them back through the front door, and hit deserialization sinks with legitimate-looking, cryptographically valid input. That's why the post-exploitation activity CISA describes centres on machine key harvesting. The RCE is the way in; the key is the way to stay in.
Microsoft's own attack-complexity notes on CVE-2026-58644 read like a checklist for a scriptable exploit. Attack complexity is low. No significant prior knowledge of the system is required. Repeatable success with the payload against the vulnerable component. Translated from CVSS-speak into pub English: point tool at server, get shell, do it again tomorrow.
Yes, Microsoft's wording says the attacker needs to be "authenticated as at least a Site Owner." I wouldn't hang my hat on that as a mitigation. Site Owner is not a nation-state trust boundary. It's a role handed out by the dozen inside most large SharePoint farms, and if the attacker can phish, session-hijack, or ride a token from a compromised endpoint into any Site Owner account, the auth requirement melts away. The pier is still the pier.
Who Gets Burned
Federal agencies are the obvious first casualty, purely because the KEV deadline is legally binding on them. Two days to test and deploy a patch across every on-prem SharePoint farm is not a comfortable interval. Anyone who has pushed a SharePoint cumulative update at 3am, watched the Central Administration timer jobs limp back to life, and prayed the search index isn't corrupted, knows this is not routine work.
The bigger blast radius is in the private sector, which has no equivalent 48-hour clock. Financial services back-office teams, insurance carriers, healthcare systems, and government contractors still run enormous amounts of institutional memory on SharePoint 2016 and 2019. In fintech and iGaming, on-prem SharePoint is often the intranet layer where KYC procedures, compliance memos, incident postmortems, and vendor contracts live. Exactly the sort of content an attacker wants to read before the ransomware note goes out.
Payments platforms and licensed operators in regulated verticals should be especially twitchy. If the SharePoint farm is on the same Active Directory forest as your production identity plane (and it usually is), machine key theft plus lateral movement can end with a Golden SAML or a domain-wide compromise. The vulnerability itself is a SharePoint bug; the incident it triggers is an enterprise identity incident.
Ad-tech and crypto shops that ditched on-prem SharePoint years ago for Google Workspace or Notion get a rare quiet week. Everyone else gets a scramble. Expect the next 90 days to bring a slow trickle of "unauthorised access" disclosures from mid-market firms who patched on July 20 or later and only discover in September that machine keys walked out the door in early July.
Playbook for Security Teams
Start with the boring bit. Apply the July 14 Patch Tuesday updates on every SharePoint Subscription Edition, 2019, and 2016 farm you own. Verify the patch actually took, because SharePoint's update pipeline has a long history of "installed but not really" states. Then assume compromise until you can prove otherwise.
CISA's hardening list is worth reading in full, but the guts of it are these. Enable Antimalware Scan Interface (AMSI) integration for every SharePoint web application. Hunt for machine key harvesting artefacts before you rotate keys, because rotating a stolen key without evicting the attacker just tells them to grab the new one. Get SharePoint Central Administration off any interface that's reachable from the internet, and while you're at it, question whether the SharePoint front-end itself needs to be internet-facing at all.
On the detection side, map the post-exploitation behaviour to MITRE ATT&CK techniques your SIEM already knows: T1505.003 (web shell), T1552 (unsecured credentials via machine keys), and the deserialization-driven execution paths under T1059. Tune logging on w3wp.exe child processes and on any unusual .NET assembly loads inside the SharePoint app pools. If your EDR isn't screaming when powershell.exe spawns from an IIS worker process, that's the alert to build tonight.
One more thing. If you're a CTO still running SharePoint on-prem in 2026 because "migration is a project for next year," this week is the memo you can wave at the board. Next year has arrived several times already.
Key Takeaways
- CVE-2026-58644 is a CVSS 9.8 deserialization RCE in SharePoint Server, exploited as a zero-day before the July 14, 2026 Patch Tuesday fix shipped.
- CISA gave federal agencies until July 19, 2026 to patch, alongside two FortiSandbox flaws (CVE-2026-25089, CVE-2026-39808) added to KEV the same day.
- All supported on-prem SharePoint versions are affected: Subscription Edition, 2019, and 2016. There is no unsupported-version escape hatch here.
- Post-exploitation is centred on IIS machine key theft, which means patching alone does not evict a determined attacker. Hunt before you rotate.
- The plank keeps rotting. If SharePoint is still your intranet backbone in a regulated vertical, this incident is your excuse to accelerate the migration conversation.
Frequently Asked Questions
Q: What is CVE-2026-58644 and why did CISA add it to KEV?
CVE-2026-58644 is a critical deserialization of untrusted data vulnerability in Microsoft SharePoint Server with a CVSS score of 9.8 that allows remote code execution. CISA added it to the Known Exploited Vulnerabilities catalog on July 17, 2026 after Microsoft confirmed it had been exploited in the wild as a zero-day before patches were available.
Q: Which SharePoint versions are affected and when must federal agencies patch?
The flaw affects Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Federal Civilian Executive Branch agencies were required to apply the fixes released in the July 14, 2026 Patch Tuesday updates by July 19, 2026.
Q: What should defenders do beyond applying the patch?
CISA recommends enabling AMSI integration for each SharePoint web application, scanning for and removing machine key harvesting tools before rotating IIS machine keys, blocking external access to SharePoint Central Administration, and avoiding direct internet exposure of SharePoint Servers where possible. Assume compromise and hunt for post-exploitation artefacts before rotating credentials.
SonicWall SMA Zero-Days Turn VPN Appliances Into Backdoors
Two chained SonicWall SMA 1000 zero-days are being exploited to turn remote-access appliances into unmonitored backdoors into Active Directory. Patching is not enough.
Aflac Japan Breach Report Blocked by Bot Wall: What We Know
A CPO Magazine report on an alleged Aflac Japan breach sits behind a bot-verification wall. What platform leaders should do when source signal fails.
Two 10.0 CVSS Joomla Zero-Days Hit KEV, FCEB Deadline Is Today
Two Joomla extension flaws scoring a perfect 10.0 on CVSS are being exploited in the wild, with FCEB agencies given until today, July 13, to patch.




