Federal Civilian Executive Branch agencies have until July 19, 2026, to apply fixes for a Microsoft SharePoint Server vulnerability that Microsoft says has been exploited in the wild.
CVE-2026-58644: a critical deserialization remote code execution
The flaw, tracked as CVE-2026-58644 and assigned a CVSS score of 9.8, is a "deserialization of untrusted data" vulnerability that can allow an attacker to execute arbitrary code on affected SharePoint Servers. Microsoft described the attack path in its advisory: "In a network-based attack, an attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server."
Microsoft warned the vulnerability is remotely exploitable over the internet and that attack complexity is low for two reasons: an attacker does not require significant prior knowledge of the system, and an attacker can achieve repeatable success with the payload against the vulnerable component. Patches were released as part of Patch Tuesday updates on July 14, 2026, and Microsoft revised its bulletin to clarify that CVE-2026-58644 "has been exploited in the wild."
Scope: supported on‑premises SharePoint Server versions
CISA and Microsoft list the affected products explicitly: Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016. CISA warned that multiple SharePoint Server vulnerabilities — including CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, and CVE-2026-58644 — are being actively exploited and could enable threat actors to gain unauthorized access to on-premises instances.
As CISA put it, "These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware."
CISA's KEV addition and the July 19, 2026 federal deadline
On Thursday, CISA added CVE-2026-58644 to its Known Exploited Vulnerabilities (KEV) catalog. That addition triggers a mandatory requirement for Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw within the agency-directed timeline: apply the patches by July 19, 2026. The listing reflects CISA's broader advisory about active exploitation of SharePoint Server vulnerabilities and is intended to accelerate patching across federal networks.
Also added: Fortinet FortiSandbox critical flaws
Alongside the SharePoint entry, CISA added two critical vulnerabilities affecting Fortinet FortiSandbox — CVE-2026-25089 and CVE-2026-39808 — to the KEV catalog following reports of active exploitation. Federal agencies were given the same July 19, 2026, deadline to update their FortiSandbox instances to the latest supported versions.
What this means for FCEB agencies, SharePoint administrators, and threat actors
- FCEB agencies: The KEV listing imposes a firm remediation timeline. Agencies must verify that the July 14, 2026 Patch Tuesday fixes are installed successfully by July 19, 2026, and shorten patching cycles where possible, per CISA guidance.
- SharePoint administrators and enterprises running on-premises instances: Administrators should apply the patches, enable Antimalware Scan Interface (AMSI) integration for each SharePoint web application, scan for and remove intrusion artifacts before rotating IIS machine keys, and restrict external access to Central Administration and unnecessary farm/database communications.
- Threat actors and incident responders: CISA's notice flags active exploitation and post-exploitation behaviors — including machine key harvesting and persistence via deserialization — underscoring that defenders should prioritize detection, tailored logging, and artifact removal to prevent or contain follow-on malware deployment.
CISA's technical mitigations mirror the immediate operational priorities: patch now, verify installation, remove intrusion artifacts before key rotation, tighten exposure to the internet, and increase logging to detect exploitation activity. With Microsoft confirming in-the-wild use and patches published on July 14, 2026, the near-term test is whether agencies and administrators meet the July 19 deadline to close a vulnerability that already has been weaponized.




