SharePoint CVE-2026-58644 Added to CISA KEV After Exploitation

CISA added Microsoft SharePoint CVE-2026-58644 to KEV after exploitation was detected. Patch on-premises SharePoint Server 2016, 2019, and Subscription Edition quickly, then check for persistence signs.

CISA has added Microsoft SharePoint CVE-2026-58644 to its Known Exploited Vulnerabilities catalog after active exploitation was confirmed on July 16, 2026. The agency set a July 19 due date for required action, making this a short-window patch and triage item for organizations that still run on-premises SharePoint Server.[1]

Microsoft rates the flaw as Critical with a CVSS 3.1 base score of 9.8. The MSRC entry describes a deserialization of untrusted data issue in Microsoft Office SharePoint that can lead to remote code execution over the network, and the update page marks exploitation as detected.[2] NVD also lists the weakness as CWE-502 and shows the same critical CVSS vector, with high confidentiality, integrity, and availability impact.[3]

The affected line is not ordinary SharePoint Online tenant administration. CISA’s alert is focused on supported on-premises SharePoint Server deployments: Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016.[4] That distinction matters because many organizations still expose collaboration portals, partner extranets, or legacy workflow systems even after moving most users to Microsoft 365.

There is one nuance administrators should not ignore. Microsoft’s FAQ says a network attacker authenticated as at least a Site Owner could inject and execute arbitrary code on the SharePoint Server, while the scoring and government advisories still put the issue in the urgent remote-exploitation bucket.[2] In practice, a farm with many Site Owners, reused credentials, weak MFA, exposed Central Administration, or recent phishing risk should be treated as a high-priority target, not as a routine authenticated-only bug.

This is also not an isolated SharePoint week. The new KEV entry follows CISA’s July 14 warning about active exploitation of several on-premises SharePoint flaws, including CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. HowToFix already covered the earlier SharePoint Server CVE-2026-45659 KEV addition and the broader Microsoft July Patch Tuesday AD FS and SharePoint zero-day update. CVE-2026-58644 is the fresh escalation: it has now moved from newly patched SharePoint risk into the active-exploitation catalog.

What SharePoint admins should check now

Start with exposure. Identify every on-premises SharePoint Server farm, especially systems reachable from the internet, partner VPNs, publishing zones, or reverse proxies. Confirm whether each farm is SharePoint Enterprise Server 2016, SharePoint Server 2019, or SharePoint Server Subscription Edition, and record the current build before assuming a Windows Update cycle handled the SharePoint patch.

Microsoft’s affected-product data lists fixed builds for CVE-2026-58644 as 16.0.5556.1005 for SharePoint Enterprise Server 2016, 16.0.10417.20153 for SharePoint Server 2019, and 16.0.19725.20384 for SharePoint Server Subscription Edition. The associated security updates are KB5002880, KB5002874, and KB5002873 respectively.[5] Farms below those builds should be patched or isolated while the change is prepared.

After patching, do not stop at the version check. CISA warns that the broader SharePoint exploitation activity has included remote code execution, theft of IIS machine keys, deserialization-based persistence, and malware deployment.[4] Review IIS logs, SharePoint ULS logs, worker-process behavior, newly modified files under web roots, unexpected timer jobs, unfamiliar admin accounts, and any webshell-like activity. The same persistence pattern is why web administrators should also keep general webshell response habits close at hand: patching closes one door, but it does not prove the room is clean.

Finally, harden the farm around the patch. Restrict direct internet access where business requirements allow it, limit external access to Central Administration, review Site Owner memberships, require phishing-resistant MFA for privileged SharePoint and Windows accounts, and make sure Microsoft Defender Antivirus and AMSI integration are active where supported. If logs show signs of exploitation, preserve evidence before rebuilding trust in machine keys or service credentials.

References

  1. CISA Known Exploited Vulnerabilities Catalog, CVE-2026-58644 entry, added July 16, 2026.
  2. Microsoft Security Response Center, “CVE-2026-58644: Microsoft SharePoint Remote Code Execution Vulnerability.”
  3. NIST National Vulnerability Database, “CVE-2026-58644 Detail.”
  4. CISA Alert, “CISA Urges SharePoint Hardening After New Exploitations,” last revised July 16, 2026.
  5. Microsoft Security Update Guide affected-product data for CVE-2026-58644, including fixed builds and KB articles.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

Leave a Comment